CVE-2012-0060

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.

References

http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077960.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078819.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078907.html

http://rhn.redhat.com/errata/RHSA-2012-0451.html

http://rhn.redhat.com/errata/RHSA-2012-0531.html

http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190

http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=f23998251992b8ae25faf5113c42fee2c49c7f29

http://rpm.org/wiki/Releases/4.9.1.3

http://secunia.com/advisories/48651

http://secunia.com/advisories/48716

http://secunia.com/advisories/49110

http://www.mandriva.com/security/advisories?name=MDVSA-2012:056

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

http://www.osvdb.org/81010

http://www.securityfocus.com/bid/52865

http://www.securitytracker.com/id?1026882

http://www.ubuntu.com/usn/USN-1695-1

https://bugzilla.redhat.com/show_bug.cgi?id=744858

https://exchange.xforce.ibmcloud.com/vulnerabilities/74582

https://hermes.opensuse.org/messages/14440932

https://hermes.opensuse.org/messages/14441362

Details

Source: MITRE

Published: 2012-06-04

Updated: 2018-01-18

Type: CWE-20

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:rpm:rpm:1.2:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:1.3:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:1.3.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:1.4:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:1.4.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:1.4.2:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:1.4.2\/a:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:1.4.3:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:1.4.4:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:1.4.5:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:1.4.6:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:1.4.7:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.0:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.0.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.0.2:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.0.3:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.0.4:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.0.5:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.0.6:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.0.7:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.0.8:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.0.9:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.0.10:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.0.11:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.1.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.1.2:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.2:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.2.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.2.2:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.2.3:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.2.3.10:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.2.3.11:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.2.4:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.2.5:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.2.6:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.2.7:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.2.8:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.2.9:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.2.10:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.2.11:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.3:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.3.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.3.2:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.3.3:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.3.4:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.3.5:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.3.6:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.3.7:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.3.8:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.3.9:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.4.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.4.2:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.4.3:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.4.4:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.4.5:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.4.6:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.4.8:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.4.9:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.4.11:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.4.12:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.5:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.5.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.5.2:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.5.3:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.5.4:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.5.5:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.5.6:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:2.6.7:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:3.0:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:3.0.2:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:3.0.3:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:3.0.4:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:3.0.5:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:3.0.6:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.0.:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.0.2:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.0.4:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.3.3:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.4.2.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.4.2.2:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.4.2.3:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.5.90:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.6.0:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.6.0:rc1:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.6.0:rc2:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.6.0:rc3:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.6.0:rc4:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.6.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.7.0:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.7.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.7.2:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.8.0:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.8.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.9.0:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.9.0:alpha:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.9.0:beta1:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.9.0:rc1:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.9.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:4.9.1.1:*:*:*:*:*:*:*

cpe:2.3:a:rpm:rpm:*:*:*:*:*:*:*:* versions up to 4.9.1.2 (inclusive)

Tenable Plugins

View all (23 total)

IDNameProductFamilySeverity
140293NewStart CGSL CORE 5.04 / MAIN 5.04 : rpm Multiple Vulnerabilities (NS-SA-2020-0039)NessusNewStart CGSL Local Security Checks
high
91753OracleVM 3.2 : rpm (OVMSA-2016-0077)NessusOracleVM Local Security Checks
high
89038VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0013) (remote check)NessusMisc.
high
82123Debian DLA-140-1 : rpm security updateNessusDebian Local Security Checks
critical
78922RHEL 6 : rhev-hypervisor6 (RHSA-2012:0531)NessusRed Hat Local Security Checks
high
74615openSUSE Security Update : rpm / rpm-python (openSUSE-SU-2012:0589-1)NessusSuSE Local Security Checks
medium
74614openSUSE Security Update : rpm / rpm-python (openSUSE-SU-2012:0588-1)NessusSuSE Local Security Checks
medium
69668Amazon Linux AMI : rpm (ALAS-2012-61)NessusAmazon Linux Local Security Checks
medium
68505Oracle Linux 4 / 5 / 6 : rpm (ELSA-2012-0451)NessusOracle Linux Local Security Checks
medium
64214SuSE 11.2 Security Update : RPM (SAT Patch Number 6191)NessusSuSE Local Security Checks
medium
64213SuSE 11.1 Security Update : RPM (SAT Patch Number 6186)NessusSuSE Local Security Checks
medium
63612Ubuntu 10.04 LTS / 11.10 / 12.04 LTS : rpm vulnerabilities (USN-1695-1)NessusUbuntu Local Security Checks
high
61747VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party librariesNessusVMware ESX Local Security Checks
critical
61294Scientific Linux Security Update : rpm on SL5.x, SL6.x i386/x86_64 (20120403)NessusScientific Linux Local Security Checks
medium
59984SuSE 10 Security Update : RPM (ZYPP Patch Number 8184)NessusSuSE Local Security Checks
medium
59679GLSA-201206-26 : RPM: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
59164SuSE 10 Security Update : popt (ZYPP Patch Number 8093)NessusSuSE Local Security Checks
medium
58821Fedora 16 : rpm-4.9.1.3-1.fc16 (2012-5421)NessusFedora Local Security Checks
medium
58820Fedora 15 : rpm-4.9.1.3-1.fc15 (2012-5420)NessusFedora Local Security Checks
medium
58717Mandriva Linux Security Advisory : rpm (MDVSA-2012:056)NessusMandriva Local Security Checks
medium
58712Fedora 17 : rpm-4.9.1.3-1.fc17 (2012-5298)NessusFedora Local Security Checks
medium
58586RHEL 4 / 5 / 6 : rpm (RHSA-2012:0451)NessusRed Hat Local Security Checks
medium
58584CentOS 5 / 6 : rpm (CESA-2012:0451)NessusCentOS Local Security Checks
medium