CVE-2012-0060Improper Input Validation in RPM

CWE-20Improper Input ValidationCWE-228Improper Handling of Syntactically Invalid StructureCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer14 documents9 sources
Severity
6.8MEDIUMNVD
EPSS
4.9%
top 10.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
RPMDebian RPM
Timeline
PublishedJun 4
Latest updateMay 4

Description

RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

debiandebian/rpm< rpm 4.9.1.3-1 (bookworm)
Debianrpm/rpm< 4.9.1.3-1+3
NVDrpm/rpm4.9.1.2+97

🔴Vulnerability Details

4
GHSA
GHSA-j6wj-cqmg-hvcm: RPM before 42022-05-04
Kernel
KVM: x86: invalid opcode oops on SET_SREGS with OSXSAVE bit set (CVE-2012-4461)2012-11-06
CVEList
CVE-2012-0060: RPM before 42012-06-04
OSV
CVE-2012-0060: RPM before 42012-06-04

📋Vendor Advisories

3
Ubuntu
RPM vulnerabilities2013-01-17
Red Hat
rpm: insufficient validation of region tags2012-04-03
Debian
CVE-2012-0060: rpm - RPM before 4.9.1.3 does not properly validate region tags, which allows remote a...2012

💬Community

5
Bugzilla
CVE-2012-5471 moodle: Various security issues fixed in upstream 2.3.3, 2.2.6 and 2.1.9 versions (MSA-12-0057, MSA-12-0058, MSA-12-0059, MSA-12-0060, MSA-12-0061, MSA-12-0062, MSA-12-0063) [fedora-all]2012-11-19
Bugzilla
CVE-2012-2373 kernel: mm: read_pmd_atomic: 32bit PAE pmd walk vs pmd_populate SMP race condition2012-05-18
Bugzilla
CVE-2012-0815 CVE-2012-0060 CVE-2012-0061 rpm various flaws [fedora-all]2012-04-03
Bugzilla
CVE-2011-4109 openssl: double-free in policy checks2012-01-04
Bugzilla
CVE-2012-0060 rpm: insufficient validation of region tags2011-10-10