5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.003 Low
EPSS
Percentile
65.8%
rpmbuild in RPM 4.8.0 and earlier does not properly parse the syntax of
spec files, which allows user-assisted remote attackers to remove home
directories via vectors involving a ;~ (semicolon tilde) sequence in a Name
tag.
Author | Note |
---|---|
mdeslaur | rpm spec files can also trivially remove home directories. This isn’t an issue worth fixing since it is assumed source rpms are verified before being used, either by using a signed package from a trusted source, or by carefully auditing the spec file. Downgrading to “negligible” and ignoring. |