Scientific Linux Security Update: Important RPM Code Injection Risk

Dec 10, 2014 •

LinuxSecurity Advisories

2 - 3 min read

Scientific Large Esm H500

Topics Covered

security advisory security update code execution rpm scientific linux

Important: rpm security update

Date: Wed, 10 Dec 2014 16:13:04 +0000
Reply-To: scientific-linux-users@
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Subject: Security ERRATA Important: rpm on SL5.x, SL6.x i386/x86_64
MIME-Version: 1.0

Synopsis: Important: rpm security update
Advisory ID: SLSA-2014:1974-1
Issue Date: 2014-12-09
CVE Numbers: CVE-2013-6435
--

It was found that RPM wrote file contents to the target installation
directory under a temporary name, and verified its cryptographic signature
only after the temporary file has been written completely. Under certain
conditions, the system interprets the unverified temporary file contents
and extracts commands from it. This could allow an attacker to modify
signed RPM files in such a way that they would execute code chosen by the
attacker during package installation. (CVE-2013-6435)

All running applications linked against the RPM library must be restarted
for this update to take effect.
--

SL5
 x86_64
 popt-1.10.2.3-36.el5_11.i386.rpm
 popt-1.10.2.3-36.el5_11.x86_64.rpm
 rpm-4.4.2.3-36.el5_11.x86_64.rpm
 rpm-debuginfo-4.4.2.3-36.el5_11.i386.rpm
 rpm-debuginfo-4.4.2.3-36.el5_11.x86_64.rpm
 rpm-libs-4.4.2.3-36.el5_11.i386.rpm
 rpm-libs-4.4.2.3-36.el5_11.x86_64.rpm
 rpm-python-4.4.2.3-36.el5_11.x86_64.rpm
 rpm-apidocs-4.4.2.3-36.el5_11.x86_64.rpm
 rpm-build-4.4.2.3-36.el5_11.x86_64.rpm
 rpm-devel-4.4.2.3-36.el5_11.i386.rpm
 rpm-devel-4.4.2.3-36.el5_11.x86_64.rpm
 i386
 popt-1.10.2.3-36.el5_11.i386.rpm
 rpm-4.4.2.3-36.el5_11.i386.rpm
 rpm-debuginfo-4.4.2.3-36.el5_11.i386.rpm
 rpm-libs-4.4.2.3-36.el5_11.i386.rpm
 rpm-python-4.4.2.3-36.el5_11.i386.rpm
 rpm-apidocs-4.4.2.3-36.el5_11.i386.rpm
 rpm-build-4.4.2.3-36.el5_11.i386.rpm
 rpm-devel-4.4.2.3-36.el5_11.i386.rpm
SL6
 x86_64
 rpm-4.8.0-38.el6_6.x86_64.rpm
 rpm-build-4.8.0-38.el6_6.x86_64.rpm
 rpm-debuginfo-4.8.0-38.el6_6.i686.rpm
 rpm-debuginfo-4.8.0-38.el6_6.x86_64.rpm
 rpm-libs-4.8.0-38.el6_6.i686.rpm
 rpm-libs-4.8.0-38.el6_6.x86_64.rpm
 rpm-python-4.8.0-38.el6_6.x86_64.rpm
 rpm-devel-4.8.0-38.el6_6.i686.rpm
 rpm-devel-4.8.0-38.el6_6.x86_64.rpm
 i386
 rpm-4.8.0-38.el6_6.i686.rpm
 rpm-build-4.8.0-38.el6_6.i686.rpm
 rpm-debuginfo-4.8.0-38.el6_6.i686.rpm
 rpm-libs-4.8.0-38.el6_6.i686.rpm
 rpm-python-4.8.0-38.el6_6.i686.rpm
 rpm-devel-4.8.0-38.el6_6.i686.rpm
 noarch
 rpm-apidocs-4.8.0-38.el6_6.noarch.rpm
 rpm-cron-4.8.0-38.el6_6.noarch.rpm

- Scientific Linux Development Team

Powered By

Linux Security Footer

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Like staying secure? So do we.
Sign up for updates, tips, and alerts!

Your message here