Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-140-1 rpm

Debian Security Advisory

DLA-140-1 rpm -- LTS security update

Date Reported:

28 Jan 2015

Affected Packages:

rpm

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2012-0060, CVE-2012-0061, CVE-2012-0815, CVE-2013-6435, CVE-2014-8118.

More information:

Several vulnerabilities have been fixed in rpm:

• CVE-2014-8118

  Fix integer overflow which allowed remote attackers to execute arbitrary code.

• CVE-2013-6435

  Prevent remote attackers from executing arbitrary code via crafted RPM files.

• CVE-2012-0815

  Fix denial of service and possible code execution via negative value in region offset in crafted RPM files.

• CVE-2012-0060

  and CVE-2012-0061

  Prevent denial of service (crash) and possibly execute arbitrary code execution via an invalid region tag in RPM files.

We recommend that you upgrade your rpm packages.

For Debian 6 Squeeze, these issues have been fixed in rpm version 4.8.1-6+squeeze2