PublicDateAtUSN: 2012-12-31
Candidate: CVE-2012-6088
PublicDate: 2013-01-18 11:48:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6088
 http://www.openwall.com/lists/oss-security/2013/01/03/9
 https://bugzilla.novell.com/show_bug.cgi?id=796375
 http://rpm.org/wiki/Releases/4.10.2
 https://ubuntu.com/security/notices/USN-1694-1
Description:
 The rpmpkgRead function in lib/package.c in RPM 4.10.x before 4.10.2 does
 not return an error code in certain situations involving an "unparseable
 signature," which allows remote attackers to bypass RPM signature checks
 via a crafted package.
Ubuntu-Description:
Notes:
 mdeslaur> only affects rpm >= 4.10.0
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697375
 https://bugzilla.novell.com/show_bug.cgi?id=796375
Priority: low
Discovered-by:
Assigned-to: mdeslaur
CVSS: 

Patches_rpm:
 upstream: http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=3d74c43e7424bc8bf95f5e031446ecb6b08381e8
upstream_rpm: released (4.10.2)
hardy_rpm: ignored (reached end-of-life)
lucid_rpm: not-affected (4.7.2-1lbuild1)
oneiric_rpm: not-affected (4.9.0-7)
precise_rpm: not-affected (4.9.1.1-1build1)
quantal_rpm: released (4.10.0-4ubuntu0.1)
devel_rpm: not-affected (4.10.1-2.1)