Bug 910446 (CVE-2013-1910) - yum: Not removing bad metadata and using it in next run
Summary: yum: Not removing bad metadata and using it in next run
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-1910
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 908870
Blocks: 910454
TreeView+ depends on / blocked
 
Reported: 2013-02-12 16:43 UTC by Jan Lieskovsky
Modified: 2020-06-11 09:09 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-27 16:38:02 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2013-02-12 16:43:01 UTC
A security flaw was found in the way Yum package manager performed management of repository metadata in certain circumstances (bad metadata were not removed properly and re-used in subsequent run). An attacker could inject a specially-crafted Trojan horse file in the metadata of a remote repository, possibly leading to their ability to confuse Yum package manager to accept invalid untrusted metadata as valid by mistake.

Comment 1 Jan Lieskovsky 2013-02-12 17:03:09 UTC
This issue did NOT affect the versions of the yum package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the yum package, as shipped with Fedora release of 17 and 18.

Comment 5 Jan Lieskovsky 2013-03-27 16:16:51 UTC
This issue was found by James Antill of Red Hat.

Comment 6 Jan Lieskovsky 2013-03-27 16:27:19 UTC
CVE Request:
  http://www.openwall.com/lists/oss-security/2013/03/27/3

Comment 7 Jan Lieskovsky 2013-03-27 16:29:28 UTC
This issue was corrected in the yum-3.4.3-31.fc17 package version for Fedora release of 17, and in the yum-3.4.3-51.fc18 package version for Fedora release of 18.

Comment 8 Jan Lieskovsky 2013-03-27 16:34:25 UTC
Statement:

Not vulnerable. This issue did not affect the versions of yum as shipped with Red Hat Enterprise Linux 5 and 6, as yum in those products did not (try to) use filelists metadata yet.

Comment 9 Kurt Seifried 2013-03-29 20:19:10 UTC
Added CVE as per http://www.openwall.com/lists/oss-security/2013/03/29/4

Comment 10 Ján Rusnačko 2015-10-23 14:08:41 UTC
Setting first statement as private, as it is ignored in favor of comment 8.

Comment 11 ipcbu_prakasmi 2020-06-11 09:09:15 UTC
Does this CVE effect yum package (3.4.3 is the latest) from RHEL7?


Note You need to log in before you can comment on or make changes to this bug.