blob: 7d214d2e0cfd2e64fef43a6b1024f9164282c734 [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200611-08">
<title>RPM: Buffer overflow</title>
RPM is vulnerable to a buffer overflow and possibly the execution of
arbitrary code when opening specially crafted packages.
<product type="ebuild">rpm</product>
<announced>November 13, 2006</announced>
<revised>November 13, 2006: 01</revised>
<package name="app-arch/rpm" auto="yes" arch="*">
<unaffected range="ge">4.4.6-r3</unaffected>
<vulnerable range="lt">4.4.6-r3</vulnerable>
The Red Hat Package Manager (RPM) is a command line driven package
management system capable of installing, uninstalling, verifying,
querying, and updating computer software packages.
Vladimir Mosgalin has reported that when processing certain packages,
RPM incorrectly allocates memory for the packages, possibly causing a
heap-based buffer overflow.
<impact type="normal">
An attacker could entice a user to open a specially crafted RPM package
and execute code with the privileges of that user if certain locales
are set.
There is no known workaround at this time.
All RPM users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=app-arch/rpm-4.4.6-r3&quot;</code>
<uri link="">CVE-2006-5466</uri>
<metadata tag="requester" timestamp="Mon, 06 Nov 2006 23:03:12 +0000">
<metadata tag="submitter" timestamp="Mon, 06 Nov 2006 23:11:11 +0000">
<metadata tag="bugReady" timestamp="Tue, 07 Nov 2006 13:44:27 +0000">