Mageia 2021-0167: rpm security update
Summary
This update from 4.16.1.2 to 4.16.1.3 fixes bugs several bugs the RPM
package manager, including several security issues:
* Fix arbitrary data copied from signature header past signature checking
(CVE-2021-3421)
* Fix signature check bypass with corrupted package (CVE-2021-20271)
* Fix missing bounds checks in headerImport() and headerCheck()
(CVE-2021-20266)
* Fix missing sanity checks on header entry count and region data overlap
* Fix access past end of header if the last entry is string type
* Fix unsafe headerCopyLoad() still used in codebase
References
- https://bugs.mageia.org/show_bug.cgi?id=28674
- https://rpm.org/wiki/Releases/4.16.1.3
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3421
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20266
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20271
Resolution
MGASA-2021-0167 - Updated rpm packages fix security vulnerabilities
SRPMS
- 8/core/rpm-4.16.1.3-1.mga8