CVE-2012-6088 — RPM vulnerability

CWE-2557 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.5%

top 32.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RPM Debian RPM

Timeline

PublishedJan 18

Latest updateFeb 13

Description

The rpmpkgRead function in lib/package.c in RPM 4.10.x before 4.10.2 does not return an error code in certain situations involving an "unparseable signature," which allows remote attackers to bypass RPM signature checks via a crafted package.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/rpm< rpm 4.10.1-2.1 (bookworm)

▶Debianrpm/rpm< 4.10.1-2.1+3

▶NVDrpm/rpm4.10.0, 4.10.1+1

Patches

Patch: rpm.org ↗Patch: rpm.org ↗

🔴Vulnerability Details

GHSA

GHSA-2frm-49v8-4jhm: The rpmpkgRead function in lib/package↗2022-05-17

▶

CVEList

CVE-2012-6088: The rpmpkgRead function in lib/package↗2013-01-18

▶

OSV

CVE-2012-6088: The rpmpkgRead function in lib/package↗2013-01-18

▶

📋Vendor Advisories

Red Hat

rpm: Signature checking function returned success on (possibly malicious ) rpm packages↗2023-02-13

▶

Ubuntu

RPM vulnerability↗2013-01-17

▶

Debian

CVE-2012-6088: rpm - The rpmpkgRead function in lib/package.c in RPM 4.10.x before 4.10.2 does not re...↗2012

▶