[ MDVSA-2010:180 ] rpm

2010-09-14T00:00:00
ID SECURITYVULNS:DOC:24737
Type securityvulns
Reporter Securityvulns
Modified 2010-09-14T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1


Mandriva Linux Security Advisory MDVSA-2010:180 http://www.mandriva.com/security/


Package : rpm Date : September 13, 2010 Affected: 2009.0, Corporate 4.0, Enterprise Server 5.0


Problem Description:

A vulnerability has been found and corrected in rpm:

lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file (CVE-2010-2059).

The updated packages have been patched to correct this issue.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4889 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2059


Updated Packages:

Mandriva Linux 2009.0: fa15345f1bf67d79a08dcad06a3b335f 2009.0/i586/libpopt0-1.10.8-32.1mdv2009.0.i586.rpm e085756e7cbb462ad9e075c8aad25132 2009.0/i586/libpopt-devel-1.10.8-32.1mdv2009.0.i586.rpm 34e473060df48dad0efc80f6c6c9b3c8 2009.0/i586/librpm4.4-4.4.2.3-20.1mnb2.i586.rpm 8a4d91bd5b5cb7d06ac806a77b11a940 2009.0/i586/librpm-devel-4.4.2.3-20.1mnb2.i586.rpm 0a4e5395fc3b3786999918e21360359b 2009.0/i586/popt-data-1.10.8-32.1mdv2009.0.i586.rpm d41d2589155531cfee87a091f9f89539 2009.0/i586/python-rpm-4.4.2.3-20.1mnb2.i586.rpm 724452dc5531f53a72d1ae8d91303617 2009.0/i586/rpm-4.4.2.3-20.1mnb2.i586.rpm b7adacc04471296f7b5b9fc342ec2d68 2009.0/i586/rpm-build-4.4.2.3-20.1mnb2.i586.rpm 967e30ebc67369e0b21bb5c7f399e30d 2009.0/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm

Mandriva Linux 2009.0/X86_64: 98232ad6b8baeb0f6a50f22bb46a4ce3 2009.0/x86_64/lib64popt0-1.10.8-32.1mdv2009.0.x86_64.rpm b5d31c766354288891124a6a8b0dbc19 2009.0/x86_64/lib64popt-devel-1.10.8-32.1mdv2009.0.x86_64.rpm 96a8cac433cfed95a2741173768ad8f6 2009.0/x86_64/lib64rpm4.4-4.4.2.3-20.1mnb2.x86_64.rpm 0c0927ae1fc9a626a466588b779d262e 2009.0/x86_64/lib64rpm-devel-4.4.2.3-20.1mnb2.x86_64.rpm 90ad635496f675505bc3834ca8c60822 2009.0/x86_64/popt-data-1.10.8-32.1mdv2009.0.x86_64.rpm 063b6e9e3c0fc8887a7be8e481fa277e 2009.0/x86_64/python-rpm-4.4.2.3-20.1mnb2.x86_64.rpm 3bef4cab40149ccb2aa038c1b32e5f2a 2009.0/x86_64/rpm-4.4.2.3-20.1mnb2.x86_64.rpm 0b655d3af90e7d1eb2d4e59b0e160f5c 2009.0/x86_64/rpm-build-4.4.2.3-20.1mnb2.x86_64.rpm 967e30ebc67369e0b21bb5c7f399e30d 2009.0/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm

Corporate 4.0: cd4f97d9f90c54f76bdb54bba0fc5a0f corporate/4.0/i586/libpopt0-1.10.2-4.2.20060mlcs4.i586.rpm 0f3da3fa186fbe5c313aa0acdafd8ffa corporate/4.0/i586/libpopt0-devel-1.10.2-4.2.20060mlcs4.i586.rpm 217a7fe6dffe2e51909d92a8ab06713a corporate/4.0/i586/librpm4.4-4.4.2-4.2.20060mlcs4.i586.rpm 54bc36df51e6c68121890dd2029e1c94 corporate/4.0/i586/librpm4.4-devel-4.4.2-4.2.20060mlcs4.i586.rpm 85cbc98e200727d0f08002890ba72c1f corporate/4.0/i586/popt-data-1.10.2-4.2.20060mlcs4.i586.rpm b1dc2b338a5c30ff598a1b094caf0c0d corporate/4.0/i586/python-rpm-4.4.2-4.2.20060mlcs4.i586.rpm d697e6586174e9f1cae798dce607ba86 corporate/4.0/i586/rpm-4.4.2-4.2.20060mlcs4.i586.rpm 083b4e31320c505fdde4dbb486135ae6 corporate/4.0/i586/rpm-build-4.4.2-4.2.20060mlcs4.i586.rpm 9e2fb6a22e148e3c943c8bf80e053301 corporate/4.0/SRPMS/rpm-4.4.2-4.2.20060mlcs4.src.rpm

Corporate 4.0/X86_64: e1f2ea23bc539080ce9ae48dfff7aa3b corporate/4.0/x86_64/lib64popt0-1.10.2-4.2.20060mlcs4.x86_64.rpm 9c70d54050efa44b588c5ccd31149f22 corporate/4.0/x86_64/lib64popt0-devel-1.10.2-4.2.20060mlcs4.x86_64.rpm 9a61e76e1b9422e60e35f9bf0f4e981a corporate/4.0/x86_64/lib64rpm4.4-4.4.2-4.2.20060mlcs4.x86_64.rpm d7026b2dce06e9f20979704748c7eea6 corporate/4.0/x86_64/lib64rpm4.4-devel-4.4.2-4.2.20060mlcs4.x86_64.rpm 9ceb6720eb17b55a24d3e50a1d1ed9aa corporate/4.0/x86_64/popt-data-1.10.2-4.2.20060mlcs4.x86_64.rpm 645f0acdc04c25aef2735c9d32be1303 corporate/4.0/x86_64/python-rpm-4.4.2-4.2.20060mlcs4.x86_64.rpm 6a83c09532087105fe8858af533983b3 corporate/4.0/x86_64/rpm-4.4.2-4.2.20060mlcs4.x86_64.rpm b829957c44af2803e7f30672ad2a85d3 corporate/4.0/x86_64/rpm-build-4.4.2-4.2.20060mlcs4.x86_64.rpm 9e2fb6a22e148e3c943c8bf80e053301 corporate/4.0/SRPMS/rpm-4.4.2-4.2.20060mlcs4.src.rpm

Mandriva Enterprise Server 5: f776747005a841776744111f0a8a8e08 mes5/i586/libpopt0-1.10.8-32.1mdvmes5.1.i586.rpm 3c0093f3024fb86fa7eb2ee671bd7a3f mes5/i586/libpopt-devel-1.10.8-32.1mdvmes5.1.i586.rpm 04c8b6b32a75bdbfe7cfdf753de5d346 mes5/i586/librpm4.4-4.4.2.3-20.1mnb2.i586.rpm 605883a0b22cee54d863e9c1c8ef6e8d mes5/i586/librpm-devel-4.4.2.3-20.1mnb2.i586.rpm 7e09701bff28a534e57c5ce7b32ba0de mes5/i586/popt-data-1.10.8-32.1mdvmes5.1.i586.rpm 0303ca138c2028160b520dd23c9a7ebb mes5/i586/python-rpm-4.4.2.3-20.1mnb2.i586.rpm e7186039a1963f2e683b139ffe4f2b25 mes5/i586/rpm-4.4.2.3-20.1mnb2.i586.rpm d30b3740649fea15761383f02798b4a1 mes5/i586/rpm-build-4.4.2.3-20.1mnb2.i586.rpm 830a5096583811ccaa2bcf472162ef58 mes5/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm

Mandriva Enterprise Server 5/X86_64: 066fccad93ad654c2261cf798039a14d mes5/x86_64/lib64popt0-1.10.8-32.1mdvmes5.1.x86_64.rpm ce023ecbd55217cc0bc525e8a49d0ca1 mes5/x86_64/lib64popt-devel-1.10.8-32.1mdvmes5.1.x86_64.rpm 842fc3b631936e6bcc757abab94bd43e mes5/x86_64/lib64rpm4.4-4.4.2.3-20.1mnb2.x86_64.rpm 65242d3af33eec8a60dc65e927acba23 mes5/x86_64/lib64rpm-devel-4.4.2.3-20.1mnb2.x86_64.rpm 9abca8b6c1a0b2dcd5b8470ea58a1a0a mes5/x86_64/popt-data-1.10.8-32.1mdvmes5.1.x86_64.rpm bb7bd25a8af5a4a8f65d22f93325bf41 mes5/x86_64/python-rpm-4.4.2.3-20.1mnb2.x86_64.rpm a92833fc3446f532b502c1eca510c397 mes5/x86_64/rpm-4.4.2.3-20.1mnb2.x86_64.rpm bc45add2a88207c52f306569d7a5a5db mes5/x86_64/rpm-build-4.4.2.3-20.1mnb2.x86_64.rpm 830a5096583811ccaa2bcf472162ef58 mes5/SRPMS/rpm-4.4.2.3-20.1mnb2.src.rpm


To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com


Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMjXFDmqjQ0CJFipgRAiQMAKCA/tEwPO/XEgxl5kmGzr+7ggbW8wCgr7eb 7DGZPpGWmV7PfAeWrRymf9I= =m5rf -----END PGP SIGNATURE-----