CVE-2012-0060 - Vulnerability Details

RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.04884.

Key SSVC decision points have not yet been added.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:rpm:rpm::::::::
	cpe:2.3:a:rpm:rpm:1.2:::::::*
	cpe:2.3:a:rpm:rpm:1.3:::::::*
	cpe:2.3:a:rpm:rpm:1.3.1:::::::*
	cpe:2.3:a:rpm:rpm:1.4:::::::*
	cpe:2.3:a:rpm:rpm:1.4.1:::::::*
	cpe:2.3:a:rpm:rpm:1.4.2:::::::*
	cpe:2.3:a:rpm:rpm:1.4.2\/a:::::::*
	cpe:2.3:a:rpm:rpm:1.4.3:::::::*
	cpe:2.3:a:rpm:rpm:1.4.4:::::::*
	cpe:2.3:a:rpm:rpm:1.4.5:::::::*
	cpe:2.3:a:rpm:rpm:1.4.6:::::::*
	cpe:2.3:a:rpm:rpm:1.4.7:::::::*
	cpe:2.3:a:rpm:rpm:2.0:::::::*
	cpe:2.3:a:rpm:rpm:2.0.1:::::::*
	cpe:2.3:a:rpm:rpm:2.0.2:::::::*
	cpe:2.3:a:rpm:rpm:2.0.3:::::::*
	cpe:2.3:a:rpm:rpm:2.0.4:::::::*
	cpe:2.3:a:rpm:rpm:2.0.5:::::::*
	cpe:2.3:a:rpm:rpm:2.0.6:::::::*
	cpe:2.3:a:rpm:rpm:2.0.7:::::::*
	cpe:2.3:a:rpm:rpm:2.0.8:::::::*
	cpe:2.3:a:rpm:rpm:2.0.9:::::::*
	cpe:2.3:a:rpm:rpm:2.0.10:::::::*
	cpe:2.3:a:rpm:rpm:2.0.11:::::::*
	cpe:2.3:a:rpm:rpm:2.1:::::::*
	cpe:2.3:a:rpm:rpm:2.1.1:::::::*
	cpe:2.3:a:rpm:rpm:2.1.2:::::::*
	cpe:2.3:a:rpm:rpm:2.2:::::::*
	cpe:2.3:a:rpm:rpm:2.2.1:::::::*
	cpe:2.3:a:rpm:rpm:2.2.2:::::::*
	cpe:2.3:a:rpm:rpm:2.2.3:::::::*
	cpe:2.3:a:rpm:rpm:2.2.3.10:::::::*
	cpe:2.3:a:rpm:rpm:2.2.3.11:::::::*
	cpe:2.3:a:rpm:rpm:2.2.4:::::::*
	cpe:2.3:a:rpm:rpm:2.2.5:::::::*
	cpe:2.3:a:rpm:rpm:2.2.6:::::::*
	cpe:2.3:a:rpm:rpm:2.2.7:::::::*
	cpe:2.3:a:rpm:rpm:2.2.8:::::::*
	cpe:2.3:a:rpm:rpm:2.2.9:::::::*
	cpe:2.3:a:rpm:rpm:2.2.10:::::::*
	cpe:2.3:a:rpm:rpm:2.2.11:::::::*
	cpe:2.3:a:rpm:rpm:2.3:::::::*
	cpe:2.3:a:rpm:rpm:2.3.1:::::::*
	cpe:2.3:a:rpm:rpm:2.3.2:::::::*
	cpe:2.3:a:rpm:rpm:2.3.3:::::::*
	cpe:2.3:a:rpm:rpm:2.3.4:::::::*
	cpe:2.3:a:rpm:rpm:2.3.5:::::::*
	cpe:2.3:a:rpm:rpm:2.3.6:::::::*
	cpe:2.3:a:rpm:rpm:2.3.7:::::::*
	cpe:2.3:a:rpm:rpm:2.3.8:::::::*
	cpe:2.3:a:rpm:rpm:2.3.9:::::::*
	cpe:2.3:a:rpm:rpm:2.4.1:::::::*
	cpe:2.3:a:rpm:rpm:2.4.2:::::::*
	cpe:2.3:a:rpm:rpm:2.4.3:::::::*
	cpe:2.3:a:rpm:rpm:2.4.4:::::::*
	cpe:2.3:a:rpm:rpm:2.4.5:::::::*
	cpe:2.3:a:rpm:rpm:2.4.6:::::::*
	cpe:2.3:a:rpm:rpm:2.4.8:::::::*
	cpe:2.3:a:rpm:rpm:2.4.9:::::::*
	cpe:2.3:a:rpm:rpm:2.4.11:::::::*
	cpe:2.3:a:rpm:rpm:2.4.12:::::::*
	cpe:2.3:a:rpm:rpm:2.5:::::::*
	cpe:2.3:a:rpm:rpm:2.5.1:::::::*
cpe:2.3:a:rpm:rpm:2.5.2:::::::*
cpe:2.3:a:rpm:rpm:2.5.3:::::::*
cpe:2.3:a:rpm:rpm:2.5.4:::::::*
cpe:2.3:a:rpm:rpm:2.5.5:::::::*
cpe:2.3:a:rpm:rpm:2.5.6:::::::*
cpe:2.3:a:rpm:rpm:2.6.7:::::::*
cpe:2.3:a:rpm:rpm:3.0:::::::*
cpe:2.3:a:rpm:rpm:3.0.1:::::::*
cpe:2.3:a:rpm:rpm:3.0.2:::::::*
cpe:2.3:a:rpm:rpm:3.0.3:::::::*
cpe:2.3:a:rpm:rpm:3.0.4:::::::*
cpe:2.3:a:rpm:rpm:3.0.5:::::::*
cpe:2.3:a:rpm:rpm:3.0.6:::::::*
cpe:2.3:a:rpm:rpm:4.0.:::::::*
cpe:2.3:a:rpm:rpm:4.0.1:::::::*
cpe:2.3:a:rpm:rpm:4.0.2:::::::*
cpe:2.3:a:rpm:rpm:4.0.3:::::::*
cpe:2.3:a:rpm:rpm:4.0.4:::::::*
cpe:2.3:a:rpm:rpm:4.1:::::::*
cpe:2.3:a:rpm:rpm:4.3.3:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.1:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.2:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.3:::::::*
cpe:2.3:a:rpm:rpm:4.5.90:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc1::::::
cpe:2.3:a:rpm:rpm:4.6.0:rc2::::::
cpe:2.3:a:rpm:rpm:4.6.0:rc3::::::
cpe:2.3:a:rpm:rpm:4.6.0:rc4::::::
cpe:2.3:a:rpm:rpm:4.6.1:::::::*
cpe:2.3:a:rpm:rpm:4.7.0:::::::*
cpe:2.3:a:rpm:rpm:4.7.1:::::::*
cpe:2.3:a:rpm:rpm:4.7.2:::::::*
cpe:2.3:a:rpm:rpm:4.8.0:::::::*
cpe:2.3:a:rpm:rpm:4.8.1:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:alpha::::::
cpe:2.3:a:rpm:rpm:4.9.0:beta1::::::
cpe:2.3:a:rpm:rpm:4.9.0:rc1::::::
cpe:2.3:a:rpm:rpm:4.9.1:::::::*
cpe:2.3:a:rpm:rpm:4.9.1.1:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 3 Extended Lifecycle Support
rpm-0:4.2.3-36_nonptl	cpe:/o:redhat:rhel_els:3	RHSA-2012:0451	2012-04-03T00:00:00Z
Red Hat Enterprise Linux 4 Extended Lifecycle Support
rpm-0:4.3.3-36_nonptl.el4	cpe:/o:redhat:rhel_els:4	RHSA-2012:0451	2012-04-03T00:00:00Z
Red Hat Enterprise Linux 5
rpm-0:4.4.2.3-28.el5_8	cpe:/o:redhat:enterprise_linux:5	RHSA-2012:0451	2012-04-03T00:00:00Z
Red Hat Enterprise Linux 5.3 Long Life
rpm-0:4.4.2.3-9.el5_3.3	cpe:/o:redhat:rhel_mission_critical:5.3	RHSA-2012:0451	2012-04-03T00:00:00Z
Red Hat Enterprise Linux 5.6 EUS - Server Only
rpm-0:4.4.2.3-22.el5_6.3	cpe:/o:redhat:rhel_eus:5.6	RHSA-2012:0451	2012-04-03T00:00:00Z
Red Hat Enterprise Linux 6
rpm-0:4.8.0-19.el6_2.1	cpe:/o:redhat:enterprise_linux:6	RHSA-2012:0451	2012-04-03T00:00:00Z
Red Hat Enterprise Linux 6.0 EUS - Server Only
rpm-0:4.8.0-12.el6_0.2	cpe:/o:redhat:rhel_eus:6.0	RHSA-2012:0451	2012-04-03T00:00:00Z
Red Hat Enterprise Linux 6.1 EUS - Server Only
rpm-0:4.8.0-16.el6_1.2	cpe:/o:redhat:rhel_eus:6.1	RHSA-2012:0451	2012-04-03T00:00:00Z

No data.

Project Subscriptions

Vendors	Products
Redhat Subscribe	Enterprise Linux Subscribe Rhel Els Subscribe Rhel Eus Subscribe Rhel Mission Critical Subscribe
Rpm Subscribe	Rpm Subscribe

Advisories

Source	ID	Title
Debian DLA	DLA-140-1	rpm security update
EUVD	EUVD-2012-0098	RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.
Ubuntu USN	USN-1695-1	RPM vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077960.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078819.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078907.html
http://rhn.redhat.com/errata/RHSA-2012-0451.html
http://rhn.redhat.com/errata/RHSA-2012-0531.html
http://rpm.org/gitweb?p=rpm.git%3Ba=commitdiff%3Bh=e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190
http://rpm.org/gitweb?p=rpm.git%3Ba=commitdiff%3Bh=f23998251992b8ae25faf5113c42fee2c49c7f29
http://rpm.org/wiki/Releases/4.9.1.3
http://secunia.com/advisories/48651
http://secunia.com/advisories/48716
http://secunia.com/advisories/49110
http://www.mandriva.com/security/advisories?name=MDVSA-2012:056
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.osvdb.org/81010
http://www.securityfocus.com/bid/52865
http://www.securitytracker.com/id?1026882
http://www.ubuntu.com/usn/USN-1695-1
https://bugzilla.redhat.com/show_bug.cgi?id=744858
https://exchange.xforce.ibmcloud.com/vulnerabilities/74582
https://hermes.opensuse.org/messages/14440932
https://hermes.opensuse.org/messages/14441362
https://nvd.nist.gov/vuln/detail/CVE-2012-0060
https://www.cve.org/CVERecord?id=CVE-2012-0060

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2012-06-04T20:00:00

Updated: 2024-08-06T18:09:17.306Z

Reserved: 2011-12-07T00:00:00

Link: CVE-2012-0060

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2012-06-04T20:55:01.743

Modified: 2025-04-11T00:51:21.963

Link: CVE-2012-0060

Redhat

Severity : Important

Publid Date: 2012-04-03T00:00:00Z

Links: CVE-2012-0060 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object