CVE 2010-2197
rpmbuild in RPM 4.8.0 and earlier does not properly parse the syntax of spec files, which allows user-assisted remote attackers to remove home directories via vectors involving a ;~ (semicolon tilde) sequence in a Name tag.
Related bugs and status
CVE-2010-2197 (Candidate) is related to these bugs:
Bug #530023: rpm -qpi spews errors about about indexes
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
530023 | rpm -qpi spews errors about about indexes | rpm (Ubuntu) | Undecided | Fix Released | ||
530023 | rpm -qpi spews errors about about indexes | rpm (Debian) | Unknown | Fix Released |
Bug #542115: "rpmdb: Program version 4.8 doesn't match environment version 4.7" during 9.10 -> 10.04
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
542115 | "rpmdb: Program version 4.8 doesn't match environment version 4.7" during 9.10 -> 10.04 | rpm (Ubuntu) | High | Fix Released |
Bug #574647: RPM on x86_64 is configured for i386 (4.7.2-1lbuild1)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
574647 | RPM on x86_64 is configured for i386 (4.7.2-1lbuild1) | rpm (Ubuntu) | Undecided | Fix Released |
Bug #601298: Please sync rpm 4.8.1-5 (main) from Debian unstable (main).
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
601298 | Please sync rpm 4.8.1-5 (main) from Debian unstable (main). | rpm (Ubuntu) | Wishlist | Fix Released |
Bug #634183: app-arch/rpm2targz: multiple vulnerabilites (CVE-2010-{2059,2197,2198,2199})
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
634183 | app-arch/rpm2targz: multiple vulnerabilites (CVE-2010-{2059,2197,2198,2199}) | RPM | Low | In Progress | ||
634183 | app-arch/rpm2targz: multiple vulnerabilites (CVE-2010-{2059,2197,2198,2199}) | Gentoo Linux | High | Confirmed | ||
634183 | app-arch/rpm2targz: multiple vulnerabilites (CVE-2010-{2059,2197,2198,2199}) | Mandriva | Medium | Unknown | ||
634183 | app-arch/rpm2targz: multiple vulnerabilites (CVE-2010-{2059,2197,2198,2199}) | Fedora | Medium | Invalid |
See the
CVE page on Mitre.org
for more details.