RPM: Buffer overflow
Gentoo Linux Security Advisory
||GLSA 200611-08 / rpm
||November 13, 2006
||November 13, 2006: 01
All supported architectures
RPM is vulnerable to a buffer overflow and possibly the execution of
arbitrary code when opening specially crafted packages.
The Red Hat Package Manager (RPM) is a command line driven package
management system capable of installing, uninstalling, verifying,
querying, and updating computer software packages.
Vladimir Mosgalin has reported that when processing certain packages,
RPM incorrectly allocates memory for the packages, possibly causing a
heap-based buffer overflow.
An attacker could entice a user to open a specially crafted RPM package
and execute code with the privileges of that user if certain locales
There is no known workaround at this time.
All RPM users should upgrade to the latest version:
Code Listing 3.1: Resolution
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/rpm-4.4.6-r3"