| Description: | The RPM Package Manager (RPM) is a powerful command line driven packagemanagement system capable of installing, uninstalling, verifying, querying,and updating software packages. Each software package consists of anarchive of files along with information about the package such as itsversion, description, and other information.It was found that RPM wrote file contents to the target installationdirectory under a temporary name, and verified its cryptographic signatureonly after the temporary file has been written completely. Under certainconditions, the system interprets the unverified temporary file contentsand extracts commands from it. This could allow an attacker to modifysigned RPM files in such a way that they would execute code chosen by theattacker during package installation. (CVE-2013-6435)This issue was discovered by Florian Weimer of Red Hat Product Security.All rpm users are advised to upgrade to these updated packages, whichcontain a backported patch to correct this issue. All running applicationslinked against the RPM library must be restarted for this update to takeeffect. |