Bug 910446 (CVE-2013-1910)

Summary: yum: Not removing bad metadata and using it in next run
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: james.antill, jrusnack, prakasmi, rcvalle, security-response-team, zpavlas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-27 16:38:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 908870    
Bug Blocks: 910454    

Description Jan Lieskovsky 2013-02-12 16:43:01 UTC
A security flaw was found in the way Yum package manager performed management of repository metadata in certain circumstances (bad metadata were not removed properly and re-used in subsequent run). An attacker could inject a specially-crafted Trojan horse file in the metadata of a remote repository, possibly leading to their ability to confuse Yum package manager to accept invalid untrusted metadata as valid by mistake.

Comment 1 Jan Lieskovsky 2013-02-12 17:03:09 UTC
This issue did NOT affect the versions of the yum package, as shipped with Red Hat Enterprise Linux 5 and 6.


This issue affects the versions of the yum package, as shipped with Fedora release of 17 and 18.

Comment 5 Jan Lieskovsky 2013-03-27 16:16:51 UTC
This issue was found by James Antill of Red Hat.

Comment 6 Jan Lieskovsky 2013-03-27 16:27:19 UTC
CVE Request:

Comment 7 Jan Lieskovsky 2013-03-27 16:29:28 UTC
This issue was corrected in the yum-3.4.3-31.fc17 package version for Fedora release of 17, and in the yum-3.4.3-51.fc18 package version for Fedora release of 18.

Comment 8 Jan Lieskovsky 2013-03-27 16:34:25 UTC

Not vulnerable. This issue did not affect the versions of yum as shipped with Red Hat Enterprise Linux 5 and 6, as yum in those products did not (try to) use filelists metadata yet.

Comment 9 Kurt Seifried 2013-03-29 20:19:10 UTC
Added CVE as per http://www.openwall.com/lists/oss-security/2013/03/29/4

Comment 10 Ján Rusnačko 2015-10-23 14:08:41 UTC
Setting first statement as private, as it is ignored in favor of comment 8.

Comment 11 ipcbu_prakasmi 2020-06-11 09:09:15 UTC
Does this CVE effect yum package (3.4.3 is the latest) from RHEL7?