Launchpad.net

CVE 2010-2197

rpmbuild in RPM 4.8.0 and earlier does not properly parse the syntax of spec files, which allows user-assisted remote attackers to remove home directories via vectors involving a ;~ (semicolon tilde) sequence in a Name tag.

Related bugs and status

CVE-2010-2197 (Candidate) is related to these bugs:

Bug #530023: rpm -qpi spews errors about about indexes

Summary				In	Importance	Status
	530023	rpm -qpi spews errors about about indexes		rpm (Ubuntu)	Undecided	Fix Released
	530023	rpm -qpi spews errors about about indexes		rpm (Debian)	Unknown	Fix Released

Bug #542115: "rpmdb: Program version 4.8 doesn't match environment version 4.7" during 9.10 -> 10.04

Summary				In	Importance	Status
	542115	"rpmdb: Program version 4.8 doesn't match environment version 4.7" during 9.10 -> 10.04		rpm (Ubuntu)	High	Fix Released

Bug #574647: RPM on x86_64 is configured for i386 (4.7.2-1lbuild1)

Summary				In	Importance	Status
	574647	RPM on x86_64 is configured for i386 (4.7.2-1lbuild1)		rpm (Ubuntu)	Undecided	Fix Released

Bug #601298: Please sync rpm 4.8.1-5 (main) from Debian unstable (main).

Summary				In	Importance	Status
	601298	Please sync rpm 4.8.1-5 (main) from Debian unstable (main).		rpm (Ubuntu)	Wishlist	Fix Released

Bug #634183: app-arch/rpm2targz: multiple vulnerabilites (CVE-2010-{2059,2197,2198,2199})

		In	Importance	Status
634183	app-arch/rpm2targz: multiple vulnerabilites (CVE-2010-{2059,2197,2198,2199})	RPM	Low	In Progress
634183	app-arch/rpm2targz: multiple vulnerabilites (CVE-2010-{2059,2197,2198,2199})	Gentoo Linux	High	Confirmed
634183	app-arch/rpm2targz: multiple vulnerabilites (CVE-2010-{2059,2197,2198,2199})	Mandriva	Medium	Unknown
634183	app-arch/rpm2targz: multiple vulnerabilites (CVE-2010-{2059,2197,2198,2199})	Fedora	Medium	Invalid

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://bugzilla.redha...
XF: rpm-rpmbuild-weak-secu...