Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2011-3378

Published: 24 December 2011

RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via an rpm package with crafted headers and offsets that are not properly handled when a package is queried or installed, related to (1) the regionSwab function, (2) the headerLoad function, and (3) multiple functions in rpmio/rpmpgp.c.

Notes

AuthorNote
jdstrand
limited attack vector

Priority

Low

Status

Package Release Status
rpm
Launchpad, Ubuntu, Debian
hardy Ignored
(end of life)
lucid
Released (4.7.2-1lubuntu0.1)
maverick Ignored
(end of life)
natty Ignored
(end of life)
oneiric
Released (4.9.0-7ubuntu0.1)
precise
Released (4.9.1.1-1ubuntu0.1)
quantal Not vulnerable
(4.9.1.3-2)
upstream
Released (4.9.1.2)
Patches:
upstream: http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=11a7e5d95a8ca8c7d4eaff179094afd8bb74fc3f
upstream: http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=a48f0e20cbe2ababc88b2fc52fb7a281d6fc1656