|Summary:||yum: Not removing bad metadata and using it in next run|
|Product:||[Other] Security Response||Reporter:||Jan Lieskovsky <jlieskov>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||james.antill, jrusnack, prakasmi, rcvalle, security-response-team, zpavlas|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2013-03-27 16:38:02 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||908870|
Description Jan Lieskovsky 2013-02-12 16:43:01 UTC
A security flaw was found in the way Yum package manager performed management of repository metadata in certain circumstances (bad metadata were not removed properly and re-used in subsequent run). An attacker could inject a specially-crafted Trojan horse file in the metadata of a remote repository, possibly leading to their ability to confuse Yum package manager to accept invalid untrusted metadata as valid by mistake.
Comment 1 Jan Lieskovsky 2013-02-12 17:03:09 UTC
This issue did NOT affect the versions of the yum package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the yum package, as shipped with Fedora release of 17 and 18.
Comment 3 Jan Lieskovsky 2013-03-26 16:02:39 UTC
Comment 5 Jan Lieskovsky 2013-03-27 16:16:51 UTC
This issue was found by James Antill of Red Hat.
Comment 6 Jan Lieskovsky 2013-03-27 16:27:19 UTC
Comment 7 Jan Lieskovsky 2013-03-27 16:29:28 UTC
This issue was corrected in the yum-3.4.3-31.fc17 package version for Fedora release of 17, and in the yum-3.4.3-51.fc18 package version for Fedora release of 18.
Comment 8 Jan Lieskovsky 2013-03-27 16:34:25 UTC
Statement: Not vulnerable. This issue did not affect the versions of yum as shipped with Red Hat Enterprise Linux 5 and 6, as yum in those products did not (try to) use filelists metadata yet.
Comment 9 Kurt Seifried 2013-03-29 20:19:10 UTC
Added CVE as per http://www.openwall.com/lists/oss-security/2013/03/29/4
Comment 10 Ján Rusnačko 2015-10-23 14:08:41 UTC
Setting first statement as private, as it is ignored in favor of comment 8.
Comment 11 ipcbu_prakasmi 2020-06-11 09:09:15 UTC
Does this CVE effect yum package (3.4.3 is the latest) from RHEL7?