It was found that RPM could encounter an integer overflow, leading to a stack-based overflow, while parsing a crafted CPIO header in the payload section of an RPM file. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation.
This issue was discovered by Florian Weimer of Red Hat Product Security.
Created attachment 962159 [details]
Proposed patch to limit the length of the file name to a reasonable value.
Created rpm tracking bugs for this issue:
Affects: fedora-all [bug 1172125]
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2014:1976 https://rhn.redhat.com/errata/RHSA-2014-1976.html
rpm-188.8.131.52-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This issue does not affect the version of rpm package as shipped with Red Hat Enterprise Linux 5 and 6.
rpm-4.11.3-2.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.