Multiple improper input validation flaws were found in the code for handling region tags within headerLoad, rpmReadSignature and headerVerify functions of RPM library. These functions are used by rpm utility to read the signature header section and verify the values of header structures (i.e. signature and header sections) of a RPM file respectively. An attacker could create a specially-crafted RPM file that, when read, could cause RPM to crash or, potentially, execute arbitrary code.
Created attachment 566531 [details] RPM 4.8.x patch - headerLoad
Created attachment 566532 [details] RPM 4.8.x patch - headerVerify and rpmReadSignature
Created attachment 566535 [details] RPM 4.4.x patch - headerLoad
Created attachment 566536 [details] RPM 4.4.x patch - headerVerify and rpmReadSignature
Lifting embargo. Fixes committed upstream in: http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190 http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=f23998251992b8ae25faf5113c42fee2c49c7f29
Created rpm tracking bugs for this issue Affects: fedora-all [bug 809487]
Fixes included in upstream version 4.9.1.3: http://rpm.org/wiki/Releases/4.9.1.3
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Extended Lifecycle Support Red Hat Enterprise Linux 5.3 Long Life Red Hat Enterprise Linux 5.6 EUS - Server Only Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6.0 EUS - Server Only Red Hat Enterprise Linux 6.1 EUS - Server Only Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 Extended Lifecycle Support Via RHSA-2012:0451 https://rhn.redhat.com/errata/RHSA-2012-0451.html
rpm-4.9.1.3-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
rpm-4.9.1.3-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
rpm-4.9.1.3-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Acknowledgements: This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.