VYPR

rpm package

opensuse/rpm&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/rpm&distro=openSUSE%20Tumbleweed

Vulnerabilities (5)

  • CVE-2021-35939Aug 26, 2022
    affected < 4.18.0-1.1fixed 4.18.0-1.1

    It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges.

  • CVE-2021-35938Aug 25, 2022
    affected < 4.18.0-1.1fixed 4.18.0-1.1

    A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privile

  • CVE-2021-3521Aug 22, 2022
    affected < 4.17.1-1.1fixed 4.17.1-1.1

    There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a ma

  • CVE-2021-3421May 19, 2021
    affected < 4.16.1.3-3.2fixed 4.16.1.3-3.2

    A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data

  • CVE-2017-7500HigAug 13, 2018
    affected < 4.16.1.3-3.2fixed 4.16.1.3-3.2

    It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write acces