It was discovered that RPM did not properly validate region size in headerLoad() when loading header from an RPM file, allowing region size to exceed containing header size. A malformed or malicious RPM file could cause RPM to crash and possibly execute arbitrary code before file signature was properly verified. Upstream commits: http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=472e569562d4c90d7a298080e0052856aa7fa86b http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=858a328cd0f7d4bcd8500c78faaf00e4f8033df6
Created attachment 566511 [details] RPM 4.8.x patch
Created attachment 566512 [details] RPM 4.4.x patch
Lifting embargo. Fix is already in upstream git: http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=472e569562d4c90d7a298080e0052856aa7fa86b http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=858a328cd0f7d4bcd8500c78faaf00e4f8033df6
Created rpm tracking bugs for this issue Affects: fedora-all [bug 809487]
Fixes included in upstream version 4.9.1.3: http://rpm.org/wiki/Releases/4.9.1.3
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Extended Lifecycle Support Red Hat Enterprise Linux 5.3 Long Life Red Hat Enterprise Linux 5.6 EUS - Server Only Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6.0 EUS - Server Only Red Hat Enterprise Linux 6.1 EUS - Server Only Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 Extended Lifecycle Support Via RHSA-2012:0451 https://rhn.redhat.com/errata/RHSA-2012-0451.html
rpm-4.9.1.3-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
rpm-4.9.1.3-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
rpm-4.9.1.3-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Acknowledgements: This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.