CVE-2010-2059Dpkg vulnerability

CWE-26433 documents7 sources
Severity
7.2HIGHNVD
EPSS
0.0%
top 86.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Debian DpkgRPMDebian RPM
Timeline
PublishedJun 8
Latest updateMay 17

Description

lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file.

CVSS vector

AV:L/AC:L/C:C/I:C/A:CExploitability: 3.9 | Impact: 10.0

Affected Packages6 packages

debiandebian/rpm< rpm 4.7.0-1 (bookworm)+2
debiandebian/dpkg< dpkg 1.10.19 (bookworm)
Debianrpm/rpm< 4.7.0-1+7
Debiandebian/dpkg< 1.10.19+3
NVDrpm/rpm4.8.0+95

Patches

Patch: distrib-coffee.ipsl.jussieu.frPatch: distrib-coffee.ipsl.jussieu.fr

🔴Vulnerability Details

15
GHSA
GHSA-fw46-vp2w-pvxq: lib/fsm2022-05-17
GHSA
GHSA-7v29-vf8p-2rvp: lib/fsm2022-05-17
GHSA
GHSA-f3f6-q22p-8fh5: lib/fsm2022-05-14
GHSA
GHSA-pfqv-vjx4-pmxj: lib/fsm2022-05-01
GHSA
GHSA-qrp8-65v4-pc63: dpkg 12022-04-29

📋Vendor Advisories

9
Red Hat
rpm: fails to drop POSIX file capabilities on package upgrade or removal2010-06-01
Red Hat
rpm: fails to drop SUID/SGID bits on package upgrade2010-06-01
Red Hat
rpm: fails to drop SUID/SGID bits on package removal2010-06-01
Red Hat
rpm: fails to drop POSIX ACLs on package upgrade or removal2010-06-01
Debian
CVE-2010-2199: rpm - lib/fsm.c in RPM 4.8.0 and earlier does not properly reset the metadata of an ex...2010

💬Community

4
Bugzilla
CVE-2005-4889 rpm: fails to drop SUID/SGID bits on package removal2010-08-20
Bugzilla
CVE-2010-2199 rpm: fails to drop POSIX ACLs on package upgrade or removal2010-06-08
Bugzilla
CVE-2010-2198 rpm: fails to drop POSIX file capabilities on package upgrade or removal2010-06-08
Bugzilla
CVE-2010-2059 rpm: fails to drop SUID/SGID bits on package upgrade2010-06-02