On Fri, Oct 08, 2004 at 03:48:41AM +0530, Santosh Eraniose wrote: > Hi, > > I have come across this advisory, CAN-2001-0923, but am unable to see > any updates related to it on the Redhat site. I have seen some updates from > Connectiva, but have been unable to download, as the file seems to be > removed. > I have checked the archives of Oct 2001-Jan 2002, but have seen no > discussion on this mailing list. > > It would be helpful, if you are aware of updates to this issue if any. > > Details are from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0923 > Name CAN-2001-0923 (under review) > Description RPM Package Manager 4.0.x through 4.0.2.x allows an attacker to > execute arbitrary > code via corrupted data in the RPM file when the file is queried The exploit was twisting a value causing heap corruption leading to a setuid shell because of a rpm -q against a malicious package. The problem was fixed in July or August 2002. The CAN report should say rpm-4.0 and rpm-4.0.2 only, there was no rpm-4.0.1 release. FWIW, rpm-4.1-1 was known to be immune to all single byte damage to a header, tested by exhaustive changing every byte to every possible value and looking for a segfault. In addition, rpm-4.1 and later has sha1 digest and signature checks on all header read paths -- when correctly configured and used -- which should be at least mildly reassuring. 73 de Jeff -- Jeff Johnson ARS N3NPQ jbj@xxxxxxxxxx (jbj@xxxxxxx) Chapel Hill, NC _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/rpm-list
