Debian Security Advisory

DLA-140-1 rpm -- LTS security update

Date Reported:
28 Jan 2015
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2012-0060, CVE-2012-0061, CVE-2012-0815, CVE-2013-6435, CVE-2014-8118.
More information:

Several vulnerabilities have been fixed in rpm:

  • CVE-2014-8118

    Fix integer overflow which allowed remote attackers to execute arbitrary code.

  • CVE-2013-6435

    Prevent remote attackers from executing arbitrary code via crafted RPM files.

  • CVE-2012-0815

    Fix denial of service and possible code execution via negative value in region offset in crafted RPM files.

  • CVE-2012-0060

    and CVE-2012-0061

    Prevent denial of service (crash) and possibly execute arbitrary code execution via an invalid region tag in RPM files.

We recommend that you upgrade your rpm packages.

For Debian 6 Squeeze, these issues have been fixed in rpm version 4.8.1-6+squeeze2