CVE-2019-3817 – libcomps: use after free when merging two objmrtrees
https://notcve.org/view.php?id=CVE-2019-3817
A use-after-free flaw has been discovered in libcomps before version 0.1.10 in the way ObjMRTrees are merged. An attacker, who is able to make an application read a crafted comps XML file, may be able to crash the application or execute malicious code. Se ha descubierto un error de uso de memoria previamente liberada en libcomps, en versiones anteriores a la 0.1.10 en la forma en la que se fusionan los ObjMRTrees. Un atacante que sea capaz de hacer que una aplicación lea un archivo XML comps manipulado podría ser capaz de provocar el cierre inesperado de la aplicación o ejecutar código malicioso. A use-after-free flaw has been discovered in libcomps in the way ObjMRTrees are merged. • https://access.redhat.com/errata/RHSA-2019:3583 https://access.redhat.com/errata/RHSA-2019:3898 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3817 https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046 https://github.com/rpm-software-management/libcomps/issues/41 https://access.redhat.com/security/cve/CVE-2019-3817 https://bugzilla.redhat.com/show_bug.cgi?id=1668005 • CWE-416: Use After Free •
CVE-2017-7500
https://notcve.org/view.php?id=CVE-2017-7500
It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege. Se ha detectado que rpm no manejaba correctamente las instalaciones RPM cuando una ruta de destino era un enlace simbólico a un directorio, posiblemente cambiando la propiedad y los permisos de un directorio arbitrario y los archivos RPM se colocaban en un destino arbitrario. Un atacante con acceso de escritura a un directorio en el que se instalará un subdirectorio podría redirigir ese directorio a una ubicación arbitraria y obtener privilegios root. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7500 https://github.com/rpm-software-management/rpm/commit/c815822c8bdb138066ff58c624ae83e3a12ebfa9 https://github.com/rpm-software-management/rpm/commit/f2d3be2a8741234faaa96f5fd05fdfdc75779a79 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2018-10897 – yum-utils: reposync: improper path validation may lead to directory traversal
https://notcve.org/view.php?id=CVE-2018-10897
A directory traversal issue was found in reposync, a part of yum-utils, where reposync fails to sanitize paths in remote repository configuration files. If an attacker controls a repository, they may be able to copy files outside of the destination directory on the targeted system via path traversal. If reposync is running with heightened privileges on a targeted system, this flaw could potentially result in system compromise via the overwriting of critical system files. Version 1.1.31 and older are believed to be affected. Se ha detectado un problema de salto de directorio en reposync, de yum-utils, en el que reposync falla a la hora de sanear rutas en los archivos de configuración del repositorio remoto. • http://www.securitytracker.com/id/1041594 https://access.redhat.com/errata/RHSA-2018:2284 https://access.redhat.com/errata/RHSA-2018:2285 https://access.redhat.com/errata/RHSA-2018:2626 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10897 https://github.com/rpm-software-management/yum-utils/commit/6a8de061f8fdc885e74ebe8c94625bf53643b71c https://github.com/rpm-software-management/yum-utils/commit/7554c0133eb830a71dc01846037cc047d0acbc2c https://github.com/rpm-software-management/yum-utils/pull/43 https • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2017-7501
https://notcve.org/view.php?id=CVE-2017-7501
It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation. Se ha descubierto que las versiones de rpm anteriores a la 4.13.0.2 emplean archivos temporales con nombres predecibles al instalar un RPM. Un atacante que pueda escribir en un directorio en el que se instalarán archivos podría crear enlaces simbólicos en una localización arbitraria y modificar contenido y, probablemente, permisos en archivos arbitrarios. Esto podría emplearse para provocar una denegación de servicio o un posible escalado de privilegios. • https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E https://security.gentoo.org/glsa/201811-22 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2017-2623 – rpm-ostree-client: fails to check gpg package signatures when layering
https://notcve.org/view.php?id=CVE-2017-2623
It was discovered that rpm-ostree and rpm-ostree-client before 2017.3 fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default. Se ha descubierto que rpm-ostree y rpm-ostree-client en versiones anteriores a la 2017.3 no comprueban correctamente las firmas GPG en los paquetes al crear las capas. Los paquetes con contenido sin firmar o mal firmado podrían no ser rechazados tal y como se esperaría. • http://www.securityfocus.com/bid/96558 https://access.redhat.com/errata/RHSA-2017:0444 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2623 https://access.redhat.com/security/cve/CVE-2017-2623 https://bugzilla.redhat.com/show_bug.cgi?id=1422157 • CWE-295: Improper Certificate Validation •