CVE-2011-3378: Code Injection
First published: Tue Sep 27 2011(Updated: )
Created <span class=""><a href="attachment.cgi?id=525110" name="attach_525110" title="testcase">attachment 525110</a> <a href="attachment.cgi?id=525110&action=edit" title="testcase">[details]</a></span> testcase Description of problem: int off = ntohl(pe->offset); if (hdrchkData(off)) goto errxit; if (off) { size_t nb = REGION_TAG_COUNT; int32_t stei[nb]; /* XXX Hmm, why the copy? */ memcpy(&stei, dataStart + off, nb); No check for dataStart + off > dataEnd. (gdb) r --checksig rpminput.rpm [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/libthread_db.so.1". error: no dbpath has been set error: cannot open Packages database in /%{_dbpath} Program received signal SIGSEGV, Segmentation fault. memcpy () at ../sysdeps/x86_64/memcpy.S:117 117 ../sysdeps/x86_64/memcpy.S: No such file or directory. in ../sysdeps/x86_64/memcpy.S (gdb) bt #0 memcpy () at ../sysdeps/x86_64/memcpy.S:117 #1 0x00007ffff7946493 in headerLoad (uh=0x623e00) at header.c:831 #2 0x00007ffff7946af9 in headerRead (fd=0x622180, magicp=HEADER_MAGIC_YES) at header.c:994 #3 0x00007ffff79731d1 in readFile (fd=0x622180, fn=0x60a080 "rpminput.rpm", dig=0x622ab0, plbundle=0x6223b0, hdrbundle=0x622420) at rpmchecksig.c:462 #4 0x00007ffff7973c29 in rpmpkgVerifySigs (keyring=0x620ef0, flags=1572865, fd=0x622180, fn=0x60a080 "rpminput.rpm") at rpmchecksig.c:689 #5 0x00007ffff797429e in rpmcliSign (ts=0x621630, qva=0x7ffff7bab180, argv=0x609ed8) at rpmchecksig.c:824 #6 0x00000000004036e0 in main (argc=3, argv=0x7fffffffe458) at rpmqv.c:787
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rpm Rpm | =4.4.2.1 | |
| Rpm Rpm | =4.8.0 | |
| Rpm Rpm | =4.4.2 | |
| Rpm Rpm | =4.6.0 | |
| Rpm Rpm | =4.4.2.2 | |
| Rpm Rpm | =4.7.2 | |
| Rpm Rpm | =4.7.0 | |
| Rpm Rpm | =4.4.2.3 | |
| Rpm Rpm | =4.6.1 | |
| Rpm Rpm | =4.7.1 | |
| Rpm Rpm | <=4.9.1.1 | |
| Rpm Rpm | =4.4.2. | |
| redhat/rpm | <0:4.3.3-35_nonptl.el4 | 0:4.3.3-35_nonptl.el4 |
| redhat/rpm | <0:4.4.2.3-22.el5_6.2 | 0:4.4.2.3-22.el5_6.2 |
| redhat/rpm | <0:4.4.2.3-9.el5_3.2 | 0:4.4.2.3-9.el5_3.2 |
| redhat/rpm | <0:4.8.0-16.el6_1.1 | 0:4.8.0-16.el6_1.1 |
| redhat/rpm | <0:4.8.0-12.el6_0.1 | 0:4.8.0-12.el6_0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2011/09/27/3
- https://bugzilla.redhat.com/show_bug.cgi?id=741612
- http://www.redhat.com/support/errata/RHSA-2011-1349.html
- http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2011-11/msg00000.html
- https://bugzilla.redhat.com/show_bug.cgi?id=741606
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:143
- http://rpm.org/wiki/Releases/4.9.1.2#Security
- http://www.ubuntu.com/usn/USN-1695-1
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10691
- http://rpm.org/gitweb?p=rpm.git%3Ba=commitdiff%3Bh=a48f0e20cbe2ababc88b2fc52fb7a281d6fc1656
- http://rpm.org/gitweb?p=rpm.git%3Ba=commitdiff%3Bh=11a7e5d95a8ca8c7d4eaff179094afd8bb74fc3f
- https://www.cve.org/CVERecord?id=CVE-2011-3378 https://nvd.nist.gov/vuln/detail/CVE-2011-3378
- https://access.redhat.com/errata/RHSA-2011:1349
- https://access.redhat.com/security/cve/CVE-2011-3378
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=525110
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=525110&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=525123
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=525123&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=741606#c4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=741606#c2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=741606#c12
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=741606#c0
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=741612
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=741606#c15
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=741606
- http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=11a7e5d95a8ca8c7d4eaff179094afd8bb74fc3f
- http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=a48f0e20cbe2ababc88b2fc52fb7a281d6fc1656
- https://rhn.redhat.com/errata/RHSA-2011-1349.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=743103
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=744263
- http://gnu.org/licenses/gpl.html
- http://www.gnu.org/software/gdb/bugs/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=741606#c29
- https://access.redhat.com/security/team/contact/
- collector/nvd-historical
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/description
- agent/event
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-3378
- vendor/rpm
- canonical/rpm rpm
- version/rpm rpm/4.4.2.1
- version/rpm rpm/4.8.0
- version/rpm rpm/4.4.2
- version/rpm rpm/4.6.0
- version/rpm rpm/4.4.2.2
- version/rpm rpm/4.7.2
- version/rpm rpm/4.7.0
- version/rpm rpm/4.4.2.3
- version/rpm rpm/4.6.1
- version/rpm rpm/4.7.1
- version/rpm rpm/4.9.1.1
- version/rpm rpm/4.4.2.
- package-manager/redhat