A numeric range comparison without minimum check flaw was found within headerVerifyInfo function of RPM library. This function is used by rpm utility to verify the values of header structures (i.e. signature and header sections) of a RPM file. An attacker could create a specially-crafted RPM file that, when read, could cause RPM to crash or, potentially, execute arbitrary code.
Created attachment 566526 [details] RPM 4.8.x patch
Created attachment 566527 [details] RPM 4.4.x patch
Lifting embargo. Committed upstream now in: http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=6fc6b45bf9fef0f17a2900c6c5198bda5e50d09e
Created rpm tracking bugs for this issue Affects: fedora-all [bug 809487]
Fixes included in upstream version 4.9.1.3: http://rpm.org/wiki/Releases/4.9.1.3
This issue has been addressed in following products: Red Hat Enterprise Linux 3 Extended Lifecycle Support Red Hat Enterprise Linux 5.3 Long Life Red Hat Enterprise Linux 5.6 EUS - Server Only Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6.0 EUS - Server Only Red Hat Enterprise Linux 6.1 EUS - Server Only Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 4 Extended Lifecycle Support Via RHSA-2012:0451 https://rhn.redhat.com/errata/RHSA-2012-0451.html
rpm-4.9.1.3-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
rpm-4.9.1.3-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
rpm-4.9.1.3-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Acknowledgements: This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team.