Vulnerability CVE-2006-5466 - CERT Civis.Net

Vulnerability Name:

CVE-2006-5466 (CCN-30058)

Assigned:

2006-10-29

Published:

2006-10-29

Updated:

2011-03-08

Summary:

Heap-based buffer overflow in the showQueryPackage function in librpm in RPM Package Manager 4.4.8, when the LANG environment variable is set to ru_RU.UTF-8, might allow user-assisted attackers to execute arbitrary code via crafted RPM packages.
Successful exploitation may allow the execution of arbitrary code, but requires that certain locales are set (e.g. ru_RU.UTF-8).
There are patches available for each affected Ubuntu product.

CVSS v3 Severity:

9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

5.4 Medium (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:C)
4.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

7.6 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)
5.6 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2006-5466

Source: CCN
Type: SA22740
RPM Buffer Overflow Vulnerability

Source: SECUNIA
Type: Exploit, Vendor Advisory
22740

Source: SECUNIA
Type: Patch, Vendor Advisory
22745

Source: SECUNIA
Type: UNKNOWN
22768

Source: SECUNIA
Type: UNKNOWN
22854

Source: GENTOO
Type: UNKNOWN
GLSA-200611-08

Source: CCN
Type: SECTRACK ID: 1017160
RPM Lets Remote Users Cause Arbitrary Code to Be Executed When Queried in Certain Locales

Source: SECTRACK
Type: UNKNOWN
1017160

Source: CCN
Type: GLSA-200611-08
RPM: Buffer overflow

Source: MANDRIVA
Type: UNKNOWN
MDKSA-2006:200

Source: CCN
Type: OSVDB ID: 30209
Red Hat Package Manager (RPM) showQueryPackage Function Overflow

Source: BID
Type: UNKNOWN
20906

Source: CCN
Type: BID-20906
LibRPM Query Report Arbitrary Code Execution Vulnerability

Source: CCN
Type: USN-378-1
RPM vulnerability

Source: UBUNTU
Type: Patch
USN-378-1

Source: VUPEN
Type: UNKNOWN
ADV-2006-4350

Source: CCN
Type: Red Hat Bugzilla Bug 212833
CVE-2006-5466 RPM Crash after listing contents of non-installed package

Source: MISC
Type: Exploit
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=212833

Source: XF
Type: UNKNOWN
rpm-locale-bo(30058)

Source: CCN
Type: Red Hat Web site
Red Hat Directory Server 7.1 SP1 Release Notes

Vulnerable Configuration:

Configuration 1:

cpe:/a:rpm:package_manager:4.4.8:*:*:*:*:*:*:*

Configuration 2:

cpe:/o:ubuntu:ubuntu_linux:6.06_lts:*:*:*:*:*:*:*

OR cpe:/o:ubuntu:ubuntu_linux:6.10:*:i386:*:*:*:*:*

Configuration CCN 1:

cpe:/o:redhat:linux:*:*:*:*:*:*:*:*

AND

cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*

OR cpe:/a:mandrakesoft:mandrake_multi_network_firewall:2.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2006:*:*:*:*:*:*:*

OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2006::x86-64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*

Denotes that component is vulnerable