MGASA-2021-0167 - Updated rpm packages fix security vulnerabilities

Publication date: 02 Apr 2021
URL: https://advisories.mageia.org/MGASA-2021-0167.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2021-3421,
     CVE-2021-20266,
     CVE-2021-20271

This update from 4.16.1.2 to 4.16.1.3 fixes bugs several bugs the RPM
package manager, including several security issues:
* Fix arbitrary data copied from signature header past signature checking
  (CVE-2021-3421)
* Fix signature check bypass with corrupted package (CVE-2021-20271)
* Fix missing bounds checks in headerImport() and headerCheck()
  (CVE-2021-20266)
* Fix missing sanity checks on header entry count and region data overlap
* Fix access past end of header if the last entry is string type
* Fix unsafe headerCopyLoad() still used in codebase

References:
- https://bugs.mageia.org/show_bug.cgi?id=28674
- https://rpm.org/wiki/Releases/4.16.1.3
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3421
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20266
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20271

SRPMS:
- 8/core/rpm-4.16.1.3-1.mga8