Bug 5375 - rpm new security issues CVE-2012-0060, CVE-2012-0061, CVE-2012-0815
Summary: rpm new security issues CVE-2012-0060, CVE-2012-0061, CVE-2012-0815
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-04-12 16:48 CEST by David Walser
Modified: 2012-04-22 19:23 CEST (History)
6 users (show)

See Also:
Source RPM: rpm-4.8.1-10.3.mga1.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2012-04-12 16:48:39 CEST 
Mandriva has issued this advisory today (April 12):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:056

The references contain links to RedHat Bugzilla with patches for rpm 4.8.x.
David Walser 2012-04-12 17:59:22 CEST

CC: (none) => dmorganec

David Walser 2012-04-12 17:59:33 CEST

CC: (none) => pterjan

David Walser 2012-04-12 17:59:45 CEST

CC: (none) => thierry.vignaud

Comment 1 David Walser 2012-04-12 18:00:14 CEST 
Just FYI, I checked the RedHat patches and they apply cleanly.
Comment 2 David Walser 2012-04-14 02:40:06 CEST 
Patched package uploaded.

Advisory:
========================

Updated rpm packages fix security vulnerabilities:

Multiple flaws were found in the way RPM parsed package file
headers. An attacker could create a specially-crafted RPM package that,
when its package header was accessed, or during package signature
verification, could cause an application using the RPM library
to crash or, potentially, execute arbitrary code (CVE-2012-0060,
CVE-2012-0061, CVE-2012-0815).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0061
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0815
https://bugzilla.redhat.com/show_bug.cgi?id=744104
https://bugzilla.redhat.com/show_bug.cgi?id=744858
https://bugzilla.redhat.com/show_bug.cgi?id=798585
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:056
========================

Updated packages in core/updates_testing:
========================
rpm-4.8.1-10.4.mga1
librpm1-4.8.1-10.4.mga1
librpm-devel-4.8.1-10.4.mga1
rpm-build-4.8.1-10.4.mga1
python-rpm-4.8.1-10.4.mga1

from rpm-4.8.1-10.4.mga1.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2012-04-21 00:22:34 CEST 
I saw QA asking why rpm is in updates_testing in IRC.  This bug is already assigned to qa-bugs, so I hope you all see this.
Comment 4 Dave Hodgins 2012-04-21 02:44:38 CEST 
Thanks.  Somehow I had missed this one.

Testing complete on i586 for the srpm
rpm-4.8.1-10.4.mga1.src.rpm

I've been using it for 5 days now, without any problems.

CC: (none) => davidwhodgins

Comment 5 claire robinson 2012-04-21 10:19:27 CEST 
Thanks David. I didn't see it either :\

No PoC's and no regressions noticed in use.

Testing complete x86_64

Validating

Could sysadmin please push from core/updates_testing to core/updates

See comment 2 for Advisory and SRPM

Thanks!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Comment 6 Thomas Backlund 2012-04-22 19:23:52 CEST 
Update pushed

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.