RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.04884.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Redhat
  • Enterprise Linux
  • Rhel Els
  • Rhel Eus
  • Rhel Mission Critical
Rpm
  • Rpm

Configuration 1 [-]

OR cpe:2.3:a:rpm:rpm:*:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:1.2:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:1.3:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:1.4:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:1.4.2\/a:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:1.4.4:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:1.4.5:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:1.4.6:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:1.4.7:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.0:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.0.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.0.2:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.0.3:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.0.4:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.0.5:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.0.6:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.0.7:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.0.8:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.0.9:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.0.10:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.0.11:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.1.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.1.2:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.2:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.2.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.2.2:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.2.3:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.2.3.10:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.2.3.11:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.2.4:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.2.5:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.2.6:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.2.7:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.2.8:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.2.9:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.2.10:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.2.11:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.3:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.3.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.3.2:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.3.3:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.3.4:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.3.5:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.3.6:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.3.7:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.3.8:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.3.9:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.4.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.4.2:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.4.3:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.4.4:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.4.5:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.4.6:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.4.8:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.4.9:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.4.11:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.4.12:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.5:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.5.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.5.2:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.5.3:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.5.4:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.5.5:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.5.6:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:2.6.7:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:3.0:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:3.0.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:3.0.2:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:3.0.3:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:3.0.4:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:3.0.5:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:3.0.6:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.0.:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.0.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.0.2:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.0.3:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.0.4:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.3.3:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.4.2.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.4.2.2:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.4.2.3:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.5.90:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.6.0:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.6.0:rc1:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.6.0:rc2:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.6.0:rc3:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.6.0:rc4:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.6.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.7.0:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.7.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.7.2:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.8.0:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.8.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.9.0:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.9.0:alpha:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.9.0:beta1:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.9.0:rc1:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.9.1:*:*:*:*:*:*:*
cpe:2.3:a:rpm:rpm:4.9.1.1:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 3 Extended Lifecycle Support
rpm-0:4.2.3-36_nonptl cpe:/o:redhat:rhel_els:3 RHSA-2012:0451 2012-04-03T00:00:00Z
Red Hat Enterprise Linux 4 Extended Lifecycle Support
rpm-0:4.3.3-36_nonptl.el4 cpe:/o:redhat:rhel_els:4 RHSA-2012:0451 2012-04-03T00:00:00Z
Red Hat Enterprise Linux 5
rpm-0:4.4.2.3-28.el5_8 cpe:/o:redhat:enterprise_linux:5 RHSA-2012:0451 2012-04-03T00:00:00Z
Red Hat Enterprise Linux 5.3 Long Life
rpm-0:4.4.2.3-9.el5_3.3 cpe:/o:redhat:rhel_mission_critical:5.3 RHSA-2012:0451 2012-04-03T00:00:00Z
Red Hat Enterprise Linux 5.6 EUS - Server Only
rpm-0:4.4.2.3-22.el5_6.3 cpe:/o:redhat:rhel_eus:5.6 RHSA-2012:0451 2012-04-03T00:00:00Z
Red Hat Enterprise Linux 6
rpm-0:4.8.0-19.el6_2.1 cpe:/o:redhat:enterprise_linux:6 RHSA-2012:0451 2012-04-03T00:00:00Z
Red Hat Enterprise Linux 6.0 EUS - Server Only
rpm-0:4.8.0-12.el6_0.2 cpe:/o:redhat:rhel_eus:6.0 RHSA-2012:0451 2012-04-03T00:00:00Z
Red Hat Enterprise Linux 6.1 EUS - Server Only
rpm-0:4.8.0-16.el6_1.2 cpe:/o:redhat:rhel_eus:6.1 RHSA-2012:0451 2012-04-03T00:00:00Z

No data.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-140-1 rpm security update
EUVD EUVD EUVD-2012-0098 RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.
Ubuntu USN Ubuntu USN USN-1695-1 RPM vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077960.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078819.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078907.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0451.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2012-0531.html cve-icon cve-icon
http://rpm.org/gitweb?p=rpm.git%3Ba=commitdiff%3Bh=e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190 cve-icon cve-icon
http://rpm.org/gitweb?p=rpm.git%3Ba=commitdiff%3Bh=f23998251992b8ae25faf5113c42fee2c49c7f29 cve-icon cve-icon
http://rpm.org/wiki/Releases/4.9.1.3 cve-icon cve-icon
http://secunia.com/advisories/48651 cve-icon cve-icon
http://secunia.com/advisories/48716 cve-icon cve-icon
http://secunia.com/advisories/49110 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2012:056 cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html cve-icon cve-icon
http://www.osvdb.org/81010 cve-icon cve-icon
http://www.securityfocus.com/bid/52865 cve-icon cve-icon
http://www.securitytracker.com/id?1026882 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-1695-1 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=744858 cve-icon cve-icon
https://exchange.xforce.ibmcloud.com/vulnerabilities/74582 cve-icon cve-icon
https://hermes.opensuse.org/messages/14440932 cve-icon cve-icon
https://hermes.opensuse.org/messages/14441362 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2012-0060 cve-icon
https://www.cve.org/CVERecord?id=CVE-2012-0060 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2024-08-06T18:09:17.306Z

Reserved: 2011-12-07T00:00:00

Link: CVE-2012-0060

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2012-06-04T20:55:01.743

Modified: 2025-04-11T00:51:21.963

Link: CVE-2012-0060

cve-icon Redhat

Severity : Important

Publid Date: 2012-04-03T00:00:00Z

Links: CVE-2012-0060 - Bugzilla

cve-icon OpenCVE Enrichment

No data.