-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:143 http://www.mandriva.com/security/ _______________________________________________________________________ Package : rpm Date : October 5, 2011 Affected: 2009.0, 2010.1, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple flaws were found in the way the RPM library parsed package headers. An attacker could create a specially-crafted RPM package that, when queried or installed, would cause rpm to crash or, potentially, execute arbitrary code (CVE-2011-3378). Additionally for Mandriva Linux 2009.0 and Mandriva Linux Enterprise Server 5 updated perl-URPM and lzma (xz v5) packages are being provided to support upgrading to Mandriva Linux 2011. The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3378 _______________________________________________________________________ Updated Packages: Mandriva Linux 2009.0: 98c2cda3db7b51815b079b0d92bb4bd4 2009.0/i586/liblzma5-5.0.0-0.1mdv2009.0.i586.rpm 942477564ab80da29d54a22449cace61 2009.0/i586/liblzma-devel-5.0.0-0.1mdv2009.0.i586.rpm 9252fd231fce953f4667410060b8cd16 2009.0/i586/libpopt0-1.10.8-32.4mdv2009.0.i586.rpm b77d4ac690d32ed54966fa48e1d32a7d 2009.0/i586/libpopt-devel-1.10.8-32.4mdv2009.0.i586.rpm 93567d53252e1942f04604fcad0a75af 2009.0/i586/librpm4.4-4.4.2.3-20.4mnb2.i586.rpm f9e4376e5143b0baaa966b25871e5604 2009.0/i586/librpm-devel-4.4.2.3-20.4mnb2.i586.rpm ff675380860633d0a79517a5f553505c 2009.0/i586/perl-URPM-3.18.2-0.1mdv2009.0.i586.rpm 0c00c730b371a8488a34e427b19e39f7 2009.0/i586/popt-data-1.10.8-32.4mdv2009.0.i586.rpm 515a4e3f1bc7fb0d2deb84441aaf51a2 2009.0/i586/python-rpm-4.4.2.3-20.4mnb2.i586.rpm 538c6e077166004cb32dd8c2203028c1 2009.0/i586/rpm-4.4.2.3-20.4mnb2.i586.rpm b496d2f1e16f48ada048f8cd38c373d0 2009.0/i586/rpm-build-4.4.2.3-20.4mnb2.i586.rpm cf1dbb505863eb6a3dc10aa3e8109c99 2009.0/i586/xz-5.0.0-0.1mdv2009.0.i586.rpm eb51fc6bdcb7d37f9fb36a3f19752bfb 2009.0/SRPMS/perl-URPM-3.18.2-0.1mdv2009.0.src.rpm 3810ffe71b1fcc3ca924510f990a726e 2009.0/SRPMS/rpm-4.4.2.3-20.4mnb2.src.rpm f85c631e530882f15258e15e02ab9eb9 2009.0/SRPMS/xz-5.0.0-0.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 1e27e2de0b8ce62458be3391f5bef22f 2009.0/x86_64/lib64lzma5-5.0.0-0.1mdv2009.0.x86_64.rpm bb5c8c0ae55521ac5cbcaa142c21d819 2009.0/x86_64/lib64lzma-devel-5.0.0-0.1mdv2009.0.x86_64.rpm d7693e8498043816318577aae9d0c75e 2009.0/x86_64/lib64popt0-1.10.8-32.4mdv2009.0.x86_64.rpm 8c90c527924185ac57df3df102445b87 2009.0/x86_64/lib64popt-devel-1.10.8-32.4mdv2009.0.x86_64.rpm 8523f9a7d772bae89bc65c77e43610a3 2009.0/x86_64/lib64rpm4.4-4.4.2.3-20.4mnb2.x86_64.rpm 9b6ffb1f6ff372d18bc2d74c1d37f993 2009.0/x86_64/lib64rpm-devel-4.4.2.3-20.4mnb2.x86_64.rpm 774bc8f17f68c0e87e46c01c6613815c 2009.0/x86_64/perl-URPM-3.18.2-0.1mdv2009.0.x86_64.rpm e2568c932f09b909d1063f846fba9c4e 2009.0/x86_64/popt-data-1.10.8-32.4mdv2009.0.x86_64.rpm 5b3cc13693bf30a1e0ba5d5b6f0604cb 2009.0/x86_64/python-rpm-4.4.2.3-20.4mnb2.x86_64.rpm 4fe7f2570e9d18f45bfcd407b92e8006 2009.0/x86_64/rpm-4.4.2.3-20.4mnb2.x86_64.rpm 8ff30a53afdd7b40aaea7abcfb1de67b 2009.0/x86_64/rpm-build-4.4.2.3-20.4mnb2.x86_64.rpm ac30079aa87aeded12710283fbb68a71 2009.0/x86_64/xz-5.0.0-0.1mdv2009.0.x86_64.rpm eb51fc6bdcb7d37f9fb36a3f19752bfb 2009.0/SRPMS/perl-URPM-3.18.2-0.1mdv2009.0.src.rpm 3810ffe71b1fcc3ca924510f990a726e 2009.0/SRPMS/rpm-4.4.2.3-20.4mnb2.src.rpm f85c631e530882f15258e15e02ab9eb9 2009.0/SRPMS/xz-5.0.0-0.1mdv2009.0.src.rpm Mandriva Linux 2010.1: 575195c4b8184b3bad4a8f0f47611ddd 2010.1/i586/librpm4.6-4.6.0-14.1mnb2.i586.rpm 633472c6a46e4cda25cd79733e7734e3 2010.1/i586/librpm-devel-4.6.0-14.1mnb2.i586.rpm ea033f2bdfc086def7b44a41b7d93bb0 2010.1/i586/python-rpm-4.6.0-14.1mnb2.i586.rpm 755250a1883f839056aeddc45249b4d9 2010.1/i586/rpm-4.6.0-14.1mnb2.i586.rpm 58baba3819190882766667d1e6b605b6 2010.1/i586/rpm-build-4.6.0-14.1mnb2.i586.rpm cdbcfbce75a90e86b162918948a0a479 2010.1/SRPMS/rpm-4.6.0-14.1mnb2.src.rpm Mandriva Linux 2010.1/X86_64: 3111d2370a6e6e046425468dd369406c 2010.1/x86_64/lib64rpm4.6-4.6.0-14.1mnb2.x86_64.rpm b67b4d0aab5657bbbd13f295cc3572cf 2010.1/x86_64/lib64rpm-devel-4.6.0-14.1mnb2.x86_64.rpm fd6fa45375ef7605be4185e72ddcbc85 2010.1/x86_64/python-rpm-4.6.0-14.1mnb2.x86_64.rpm 8435bb14763a9b04cf92362d0bfbb55b 2010.1/x86_64/rpm-4.6.0-14.1mnb2.x86_64.rpm 79d9c8c76cb994cb22565163b96301b4 2010.1/x86_64/rpm-build-4.6.0-14.1mnb2.x86_64.rpm cdbcfbce75a90e86b162918948a0a479 2010.1/SRPMS/rpm-4.6.0-14.1mnb2.src.rpm Mandriva Enterprise Server 5: 846e55fe6d87d65100e109de877bb43c mes5/i586/liblzma5-5.0.0-0.1mdvmes5.2.i586.rpm 03fac9972c6b5ffad2fa0e2fe75c7977 mes5/i586/liblzma-devel-5.0.0-0.1mdvmes5.2.i586.rpm e66a9277bb33c1addf477c4abaabacb2 mes5/i586/libpopt0-1.10.8-32.4mdvmes5.2.i586.rpm 1a21aebc11dc56d14d1dc17dbc4feceb mes5/i586/libpopt-devel-1.10.8-32.4mdvmes5.2.i586.rpm 25d9c1c2aa8ff092a78545720f1eaa6a mes5/i586/librpm4.4-4.4.2.3-20.4mnb2.i586.rpm d91d6ea8dbc802881f8342f058e4e7ce mes5/i586/librpm-devel-4.4.2.3-20.4mnb2.i586.rpm 24494f4a5c12f2d153ba02786e875a9b mes5/i586/perl-URPM-3.18.2-0.1mdvmes5.2.i586.rpm db6a33a30d349eef54d08e6876b4096d mes5/i586/popt-data-1.10.8-32.4mdvmes5.2.i586.rpm 4ca5d53ab83f1c549dccd1d529f95b2b mes5/i586/python-rpm-4.4.2.3-20.4mnb2.i586.rpm e6e9930ec6bd43b700bc7a5f5bdab91b mes5/i586/rpm-4.4.2.3-20.4mnb2.i586.rpm 7cd479a1accf964b867125e3b1d5b66f mes5/i586/rpm-build-4.4.2.3-20.4mnb2.i586.rpm 8f0f63192c52671653e126a9732b8a09 mes5/i586/xz-5.0.0-0.1mdvmes5.2.i586.rpm 0047febfa6824a98e79b545a4af5c1ee mes5/SRPMS/perl-URPM-3.18.2-0.1mdvmes5.2.src.rpm d5164ea3f0a4791e914b66349552ad74 mes5/SRPMS/rpm-4.4.2.3-20.4mnb2.src.rpm bdc1de5c6f723086ad97395cb088570a mes5/SRPMS/xz-5.0.0-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: 6eae5cab40a4483e8b8676cdc7cb3a47 mes5/x86_64/lib64lzma5-5.0.0-0.1mdvmes5.2.x86_64.rpm abd4f61de9485e9b17423368c9e0846e mes5/x86_64/lib64lzma-devel-5.0.0-0.1mdvmes5.2.x86_64.rpm 9dc9ba0ee07b448bc9291d745d474133 mes5/x86_64/lib64popt0-1.10.8-32.4mdvmes5.2.x86_64.rpm 11abb87f3f5237a585e06439cf950ce6 mes5/x86_64/lib64popt-devel-1.10.8-32.4mdvmes5.2.x86_64.rpm a63fb1c7f572cd7aae2d6e11074ca5fa mes5/x86_64/lib64rpm4.4-4.4.2.3-20.4mnb2.x86_64.rpm b6260a53de8b113e4ecc98bb48e92861 mes5/x86_64/lib64rpm-devel-4.4.2.3-20.4mnb2.x86_64.rpm 94ee88583cf17e6c370386eaa8e07aca mes5/x86_64/perl-URPM-3.18.2-0.1mdvmes5.2.x86_64.rpm ca74f38a9622e7c02521085d6e6e6978 mes5/x86_64/popt-data-1.10.8-32.4mdvmes5.2.x86_64.rpm 13ef4db721a5f915f19566b3950e3703 mes5/x86_64/python-rpm-4.4.2.3-20.4mnb2.x86_64.rpm 5386b22db9cdbce48029bbe7a9bf066a mes5/x86_64/rpm-4.4.2.3-20.4mnb2.x86_64.rpm cef9d07d289fd54fe84e00c732cbfa74 mes5/x86_64/rpm-build-4.4.2.3-20.4mnb2.x86_64.rpm 1867622d245b27193cc5a7a021f23822 mes5/x86_64/xz-5.0.0-0.1mdvmes5.2.x86_64.rpm 0047febfa6824a98e79b545a4af5c1ee mes5/SRPMS/perl-URPM-3.18.2-0.1mdvmes5.2.src.rpm d5164ea3f0a4791e914b66349552ad74 mes5/SRPMS/rpm-4.4.2.3-20.4mnb2.src.rpm bdc1de5c6f723086ad97395cb088570a mes5/SRPMS/xz-5.0.0-0.1mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iD8DBQFOjHw1mqjQ0CJFipgRAmhYAJoCELWnwS7tgXwMikryTp7aBGHBSgCglC+q FzkgbuCVJvM+cAouZUfpbJk= =XKgy -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/