rpm is vulnerable to arbitrary code execution. An attacker could create a specially-crafted RPM package that, when its package header was accessed, or during package signature verification, could cause an application using the RPM library (such as the rpm command line tool, or the yum and up2date package managers) to crash or, potentially, execute arbitrary code.
lists.fedoraproject.org/pipermail/package-announce/2012-April/077960.html
lists.fedoraproject.org/pipermail/package-announce/2012-April/078819.html
lists.fedoraproject.org/pipermail/package-announce/2012-April/078907.html
rhn.redhat.com/errata/RHSA-2012-0451.html
rhn.redhat.com/errata/RHSA-2012-0531.html
rpm.org/gitweb?p=rpm.git;a=commitdiff;h=472e569562d4c90d7a298080e0052856aa7fa86b
rpm.org/gitweb?p=rpm.git;a=commitdiff;h=858a328cd0f7d4bcd8500c78faaf00e4f8033df6
rpm.org/wiki/Releases/4.9.1.3
secunia.com/advisories/48651
secunia.com/advisories/48716
secunia.com/advisories/49110
www.mandriva.com/security/advisories?name=MDVSA-2012:056
www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
www.osvdb.org/81009
www.securityfocus.com/bid/52865
www.securitytracker.com/id?1026882
www.ubuntu.com/usn/USN-1695-1
access.redhat.com/errata/RHSA-2012:0451
access.redhat.com/security/updates/classification/#important
bugzilla.redhat.com/show_bug.cgi?id=744104
exchange.xforce.ibmcloud.com/vulnerabilities/74581
hermes.opensuse.org/messages/14440932
hermes.opensuse.org/messages/14441362