CVE-2021-20271

Name
CVE-2021-20271
Description
A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1934125
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VHRPNBCRPDJHHQE3MBPSZK4H7X2IM7AC/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TMGXO3W6DHPO62GJ4VVF5DEUX5DRUR5K/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YILPBTPSBRYL4POBI3F4YUSVPSOQNJBY/
GENTOO https://security.gentoo.org/glsa/202107-43

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:rpm:rpm:*:*:*:*:*:*:*:* rpm >= None < 2021-03-16
cpe:2.3:a:rpm:rpm:*:*:*:*:*:*:*:* rpm >= 4.15.0 < 4.15.1.3
cpe:2.3:a:rpm:rpm:4.15.0:alpha:*:*:*:*:*:* rpm == None == 4.15.0
cpe:2.3:a:rpm:rpm:*:*:*:*:*:*:*:* rpm >= 4.16.0 < 4.16.1.3
cpe:2.3:a:rpm:rpm:4.16.0:alpha:*:*:*:*:*:* rpm == None == 4.16.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
rpm 3.13-community 4.16.1.3-r0 None fixed
rpm 3.14-community 4.16.1.3-r1 None fixed
rpm 3.15-community 4.16.1.3-r1 None fixed
rpm 3.16-community 4.16.1.3-r3 None fixed
rpm 3.17-community 4.18.0-r1 None fixed
rpm 3.18-community 4.18.1-r0 None fixed
rpm 3.19-community 4.19.0-r0 Celeste <cielesti@protonmail.com> fixed
rpm edge-community 4.19.1.1-r1 Celeste <cielesti@protonmail.com> fixed
rpm 3.20-community 4.19.1.1-r1 Celeste <cielesti@protonmail.com> fixed