-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Description: Arbitrary command executing on query of corrupt RPM files > (note: you do not have to install the file to be affected) > > > Severity: Very Low to Low > (Unless running an lpd with no access restrictions, > in which case, it may allow remote compromize.) > > > Affects: rpm-4.0.2-7x > probably also earlier 4.0.x rpm packages (*) > Also affects other programs using rpm 4.0.x libraries, > including rpm2html. > > (*) 3.0.x is not affected by _this_ fault, but that > does not mean it is not affected by a similar > problem. (Tested against RPM 3.0.3 on SuSE 6.2) For verification: SuSE Linux distributions use rpm in versions 3.0.3 (SuSE-6.3), 3.0.4 (SuSE-6.4,7.0) and 3.0.6 (SuSE-7.1+later) and are not vulnerable to this specific problem. Just a guess, without any claims of accuracy: Most Linux distributors use a version of rpm in the 3-series as well. If you are unsure, use the command "rpm -q rpm" to find out. > -- zen-parse > > (Vendors were originally notified of the problem 12th August 2001) Yes. Thank you! Roman. - -- - - | Roman Drahtmüller <drahtat_private> // "You don't need eyes to see, | SuSE GmbH - Security Phone: // you need vision!" | Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless | - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: http://www.suse.de/ iEYEARECAAYFAjvXDD4ACgkQnkDjEAAKq6SqOwCgk9D0sppUqB6CQOo0GTPL+OWT GDgAn3Ne/C4gK/VO39P8aR87gJz1CE1l =e9gi -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 20:07:07 PDT