Otkriven je sigurnosni nedostatak programskog paketa RPM kojeg zlonamjerni korisnici mogu iskoristiti kako bi izveli DoS napad i izvršili zlonamjerni programski kod.
| Paket: | rpm 4.x |
| Operacijski sustavi: | Mandriva Linux 2009.0, Mandriva Linux 2010.1, Mandriva Linux Enterprise Server 5.0 |
| Kritičnost: | 5 |
| Problem: | pogreška u programskoj komponenti |
| Iskorištavanje: | lokalno/udaljeno |
| Posljedica: | proizvoljno izvršavanje programskog koda, uskraćivanje usluga (DoS) |
| Rješenje: | programska zakrpa proizvođača |
| CVE: | CVE-2011-3378 |
| Izvorni ID preporuke: | MDVSA-2011:143 |
| Izvor: | Mandriva |
| Problem: | |
| Uzrok sigurnosnog nedostatka su višestruke pogreške pri obradi zaglavlja paketa. |
|
| Posljedica: | |
| Slanjem posebno oblikovanog RPM paketa napadač može izvesti DoS napad i pokretati proizvoljni programski kod. |
|
| Rješenje: | |
| Korisnici se potiču na korištenje odgovarajuće nadogradnje. |
|
Izvorni tekst preporuke
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:143
http://www.mandriva.com/security/
_______________________________________________________________________
Package : rpm
Date : October 5, 2011
Affected: 2009.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple flaws were found in the way the RPM library parsed package
headers. An attacker could create a specially-crafted RPM package that,
when queried or installed, would cause rpm to crash or, potentially,
execute arbitrary code (CVE-2011-3378).
Additionally for Mandriva Linux 2009.0 and Mandriva Linux Enterprise
Server 5 updated perl-URPM and lzma (xz v5) packages are being provided
to support upgrading to Mandriva Linux 2011.
The updated packages have been patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3378
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
98c2cda3db7b51815b079b0d92bb4bd4
2009.0/i586/liblzma5-5.0.0-0.1mdv2009.0.i586.rpm
942477564ab80da29d54a22449cace61
2009.0/i586/liblzma-devel-5.0.0-0.1mdv2009.0.i586.rpm
9252fd231fce953f4667410060b8cd16
2009.0/i586/libpopt0-1.10.8-32.4mdv2009.0.i586.rpm
b77d4ac690d32ed54966fa48e1d32a7d
2009.0/i586/libpopt-devel-1.10.8-32.4mdv2009.0.i586.rpm
93567d53252e1942f04604fcad0a75af
2009.0/i586/librpm4.4-4.4.2.3-20.4mnb2.i586.rpm
f9e4376e5143b0baaa966b25871e5604
2009.0/i586/librpm-devel-4.4.2.3-20.4mnb2.i586.rpm
ff675380860633d0a79517a5f553505c
2009.0/i586/perl-URPM-3.18.2-0.1mdv2009.0.i586.rpm
0c00c730b371a8488a34e427b19e39f7
2009.0/i586/popt-data-1.10.8-32.4mdv2009.0.i586.rpm
515a4e3f1bc7fb0d2deb84441aaf51a2
2009.0/i586/python-rpm-4.4.2.3-20.4mnb2.i586.rpm
538c6e077166004cb32dd8c2203028c1 2009.0/i586/rpm-4.4.2.3-20.4mnb2.i586.rpm
b496d2f1e16f48ada048f8cd38c373d0
2009.0/i586/rpm-build-4.4.2.3-20.4mnb2.i586.rpm
cf1dbb505863eb6a3dc10aa3e8109c99 2009.0/i586/xz-5.0.0-0.1mdv2009.0.i586.rpm
eb51fc6bdcb7d37f9fb36a3f19752bfb
2009.0/SRPMS/perl-URPM-3.18.2-0.1mdv2009.0.src.rpm
3810ffe71b1fcc3ca924510f990a726e 2009.0/SRPMS/rpm-4.4.2.3-20.4mnb2.src.rpm
f85c631e530882f15258e15e02ab9eb9 2009.0/SRPMS/xz-5.0.0-0.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
1e27e2de0b8ce62458be3391f5bef22f
2009.0/x86_64/lib64lzma5-5.0.0-0.1mdv2009.0.x86_64.rpm
bb5c8c0ae55521ac5cbcaa142c21d819
2009.0/x86_64/lib64lzma-devel-5.0.0-0.1mdv2009.0.x86_64.rpm
d7693e8498043816318577aae9d0c75e
2009.0/x86_64/lib64popt0-1.10.8-32.4mdv2009.0.x86_64.rpm
8c90c527924185ac57df3df102445b87
2009.0/x86_64/lib64popt-devel-1.10.8-32.4mdv2009.0.x86_64.rpm
8523f9a7d772bae89bc65c77e43610a3
2009.0/x86_64/lib64rpm4.4-4.4.2.3-20.4mnb2.x86_64.rpm
9b6ffb1f6ff372d18bc2d74c1d37f993
2009.0/x86_64/lib64rpm-devel-4.4.2.3-20.4mnb2.x86_64.rpm
774bc8f17f68c0e87e46c01c6613815c
2009.0/x86_64/perl-URPM-3.18.2-0.1mdv2009.0.x86_64.rpm
e2568c932f09b909d1063f846fba9c4e
2009.0/x86_64/popt-data-1.10.8-32.4mdv2009.0.x86_64.rpm
5b3cc13693bf30a1e0ba5d5b6f0604cb
2009.0/x86_64/python-rpm-4.4.2.3-20.4mnb2.x86_64.rpm
4fe7f2570e9d18f45bfcd407b92e8006
2009.0/x86_64/rpm-4.4.2.3-20.4mnb2.x86_64.rpm
8ff30a53afdd7b40aaea7abcfb1de67b
2009.0/x86_64/rpm-build-4.4.2.3-20.4mnb2.x86_64.rpm
ac30079aa87aeded12710283fbb68a71
2009.0/x86_64/xz-5.0.0-0.1mdv2009.0.x86_64.rpm
eb51fc6bdcb7d37f9fb36a3f19752bfb
2009.0/SRPMS/perl-URPM-3.18.2-0.1mdv2009.0.src.rpm
3810ffe71b1fcc3ca924510f990a726e 2009.0/SRPMS/rpm-4.4.2.3-20.4mnb2.src.rpm
f85c631e530882f15258e15e02ab9eb9 2009.0/SRPMS/xz-5.0.0-0.1mdv2009.0.src.rpm
Mandriva Linux 2010.1:
575195c4b8184b3bad4a8f0f47611ddd
2010.1/i586/librpm4.6-4.6.0-14.1mnb2.i586.rpm
633472c6a46e4cda25cd79733e7734e3
2010.1/i586/librpm-devel-4.6.0-14.1mnb2.i586.rpm
ea033f2bdfc086def7b44a41b7d93bb0
2010.1/i586/python-rpm-4.6.0-14.1mnb2.i586.rpm
755250a1883f839056aeddc45249b4d9 2010.1/i586/rpm-4.6.0-14.1mnb2.i586.rpm
58baba3819190882766667d1e6b605b6
2010.1/i586/rpm-build-4.6.0-14.1mnb2.i586.rpm
cdbcfbce75a90e86b162918948a0a479 2010.1/SRPMS/rpm-4.6.0-14.1mnb2.src.rpm
Mandriva Linux 2010.1/X86_64:
3111d2370a6e6e046425468dd369406c
2010.1/x86_64/lib64rpm4.6-4.6.0-14.1mnb2.x86_64.rpm
b67b4d0aab5657bbbd13f295cc3572cf
2010.1/x86_64/lib64rpm-devel-4.6.0-14.1mnb2.x86_64.rpm
fd6fa45375ef7605be4185e72ddcbc85
2010.1/x86_64/python-rpm-4.6.0-14.1mnb2.x86_64.rpm
8435bb14763a9b04cf92362d0bfbb55b 2010.1/x86_64/rpm-4.6.0-14.1mnb2.x86_64.rpm
79d9c8c76cb994cb22565163b96301b4
2010.1/x86_64/rpm-build-4.6.0-14.1mnb2.x86_64.rpm
cdbcfbce75a90e86b162918948a0a479 2010.1/SRPMS/rpm-4.6.0-14.1mnb2.src.rpm
Mandriva Enterprise Server 5:
846e55fe6d87d65100e109de877bb43c
mes5/i586/liblzma5-5.0.0-0.1mdvmes5.2.i586.rpm
03fac9972c6b5ffad2fa0e2fe75c7977
mes5/i586/liblzma-devel-5.0.0-0.1mdvmes5.2.i586.rpm
e66a9277bb33c1addf477c4abaabacb2
mes5/i586/libpopt0-1.10.8-32.4mdvmes5.2.i586.rpm
1a21aebc11dc56d14d1dc17dbc4feceb
mes5/i586/libpopt-devel-1.10.8-32.4mdvmes5.2.i586.rpm
25d9c1c2aa8ff092a78545720f1eaa6a
mes5/i586/librpm4.4-4.4.2.3-20.4mnb2.i586.rpm
d91d6ea8dbc802881f8342f058e4e7ce
mes5/i586/librpm-devel-4.4.2.3-20.4mnb2.i586.rpm
24494f4a5c12f2d153ba02786e875a9b
mes5/i586/perl-URPM-3.18.2-0.1mdvmes5.2.i586.rpm
db6a33a30d349eef54d08e6876b4096d
mes5/i586/popt-data-1.10.8-32.4mdvmes5.2.i586.rpm
4ca5d53ab83f1c549dccd1d529f95b2b
mes5/i586/python-rpm-4.4.2.3-20.4mnb2.i586.rpm
e6e9930ec6bd43b700bc7a5f5bdab91b mes5/i586/rpm-4.4.2.3-20.4mnb2.i586.rpm
7cd479a1accf964b867125e3b1d5b66f
mes5/i586/rpm-build-4.4.2.3-20.4mnb2.i586.rpm
8f0f63192c52671653e126a9732b8a09 mes5/i586/xz-5.0.0-0.1mdvmes5.2.i586.rpm
0047febfa6824a98e79b545a4af5c1ee
mes5/SRPMS/perl-URPM-3.18.2-0.1mdvmes5.2.src.rpm
d5164ea3f0a4791e914b66349552ad74 mes5/SRPMS/rpm-4.4.2.3-20.4mnb2.src.rpm
bdc1de5c6f723086ad97395cb088570a mes5/SRPMS/xz-5.0.0-0.1mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
6eae5cab40a4483e8b8676cdc7cb3a47
mes5/x86_64/lib64lzma5-5.0.0-0.1mdvmes5.2.x86_64.rpm
abd4f61de9485e9b17423368c9e0846e
mes5/x86_64/lib64lzma-devel-5.0.0-0.1mdvmes5.2.x86_64.rpm
9dc9ba0ee07b448bc9291d745d474133
mes5/x86_64/lib64popt0-1.10.8-32.4mdvmes5.2.x86_64.rpm
11abb87f3f5237a585e06439cf950ce6
mes5/x86_64/lib64popt-devel-1.10.8-32.4mdvmes5.2.x86_64.rpm
a63fb1c7f572cd7aae2d6e11074ca5fa
mes5/x86_64/lib64rpm4.4-4.4.2.3-20.4mnb2.x86_64.rpm
b6260a53de8b113e4ecc98bb48e92861
mes5/x86_64/lib64rpm-devel-4.4.2.3-20.4mnb2.x86_64.rpm
94ee88583cf17e6c370386eaa8e07aca
mes5/x86_64/perl-URPM-3.18.2-0.1mdvmes5.2.x86_64.rpm
ca74f38a9622e7c02521085d6e6e6978
mes5/x86_64/popt-data-1.10.8-32.4mdvmes5.2.x86_64.rpm
13ef4db721a5f915f19566b3950e3703
mes5/x86_64/python-rpm-4.4.2.3-20.4mnb2.x86_64.rpm
5386b22db9cdbce48029bbe7a9bf066a mes5/x86_64/rpm-4.4.2.3-20.4mnb2.x86_64.rpm
cef9d07d289fd54fe84e00c732cbfa74
mes5/x86_64/rpm-build-4.4.2.3-20.4mnb2.x86_64.rpm
1867622d245b27193cc5a7a021f23822 mes5/x86_64/xz-5.0.0-0.1mdvmes5.2.x86_64.rpm
0047febfa6824a98e79b545a4af5c1ee
mes5/SRPMS/perl-URPM-3.18.2-0.1mdvmes5.2.src.rpm
d5164ea3f0a4791e914b66349552ad74 mes5/SRPMS/rpm-4.4.2.3-20.4mnb2.src.rpm
bdc1de5c6f723086ad97395cb088570a mes5/SRPMS/xz-5.0.0-0.1mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFOjHw1mqjQ0CJFipgRAmhYAJoCELWnwS7tgXwMikryTp7aBGHBSgCglC+q
FzkgbuCVJvM+cAouZUfpbJk=
=XKgy
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke