Skip to navigation

Security Advisory Moderate: rpm security and bug fix update

Advisory: RHSA-2010:0679-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-09-07
Last updated on: 2010-09-07
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2010-2059

Details

Updated rpm packages that fix one security issue and one bug are now
available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

The RPM Package Manager (RPM) is a command line driven package management
system capable of installing, uninstalling, verifying, querying, and
updating software packages.

It was discovered that RPM did not remove setuid and setgid bits set on
binaries when upgrading packages. A local attacker able to create hard
links to binaries could use this flaw to keep those binaries on the system,
at a specific version level and with the setuid or setgid bit set, even if
the package providing them was upgraded by a system administrator. This
could have security implications if a package was upgraded because of a
security flaw in a setuid or setgid program. (CVE-2010-2059)

This update also fixes the following bug:

* A memory leak in the communication between RPM and the Security-Enhanced
Linux (SELinux) subsystem, which could have caused extensive memory
consumption. In reported cases, this issue was triggered by running
rhn_check when errata were scheduled to be applied. (BZ#627630)

All users of rpm are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
rpm-4.4.2.3-20.el5_5.1.src.rpm
File outdated by:  RHBA-2013:1297
    MD5: 9310b536e45f3f1ba748d1d3b25c3be0
SHA-256: 869d80aa7515908038c5f01381be092899e8820040157e1cb9d1191a61ab6a05
 
IA-32:
rpm-apidocs-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: 41042338481853cf5c8a5b7f7b7b1738
SHA-256: 979e4cec5d8331a7b37fb9677d18608538ac32b60751d6edd434a50a9f450398
rpm-build-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: 2f4f32b7fcf79ce4e1e6db108ab39bda
SHA-256: 3fc4750741ebc1e98c5f68dc6e15f6b396e8686de45d481188d916334e5aa9bc
rpm-devel-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: f7c25590c4fc90a95ebdef7087ceaab2
SHA-256: fe7278b4820f01e3f8ac45ed93dd06f16773c9f59c2a023a3a354c008e6bb24d
 
x86_64:
rpm-apidocs-4.4.2.3-20.el5_5.1.x86_64.rpm
File outdated by:  RHBA-2013:1297
    MD5: e5d14a77a98de75ead8a4ef06c7da4e7
SHA-256: c87dbc0f47acf3bad9942d5b0de6a4a087580278dc5043a96eb590cb8ea834c5
rpm-build-4.4.2.3-20.el5_5.1.x86_64.rpm
File outdated by:  RHBA-2013:1297
    MD5: 6795fa9da8d0486d8f09bf7305b8e4cf
SHA-256: fc9157d2492b2611dd9a6bd5601226a7e0f915106b1d74fbe5855939ec893afa
rpm-devel-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: f7c25590c4fc90a95ebdef7087ceaab2
SHA-256: fe7278b4820f01e3f8ac45ed93dd06f16773c9f59c2a023a3a354c008e6bb24d
rpm-devel-4.4.2.3-20.el5_5.1.x86_64.rpm
File outdated by:  RHBA-2013:1297
    MD5: fb7eecee162d9e55e42a4d861e9483ef
SHA-256: bd521d09467339619672fce5561a30fe95e569e7d445f630fb1531def20042a5
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
rpm-4.4.2.3-20.el5_5.1.src.rpm
File outdated by:  RHBA-2013:1297
    MD5: 9310b536e45f3f1ba748d1d3b25c3be0
SHA-256: 869d80aa7515908038c5f01381be092899e8820040157e1cb9d1191a61ab6a05
 
IA-32:
popt-1.10.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: fb3cfb7259613314237c4244c75c4024
SHA-256: c879318615763f9ad0479f4e5a003b44c133d05e7ffcac8f26917d6fc036ede7
rpm-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: ccd0d822e3e565487368d193ee8da70f
SHA-256: 0fd80611e6889777a500c2afe32c60b36ce1f062819914ec6d7b914ccd5370ef
rpm-apidocs-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: 41042338481853cf5c8a5b7f7b7b1738
SHA-256: 979e4cec5d8331a7b37fb9677d18608538ac32b60751d6edd434a50a9f450398
rpm-build-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: 2f4f32b7fcf79ce4e1e6db108ab39bda
SHA-256: 3fc4750741ebc1e98c5f68dc6e15f6b396e8686de45d481188d916334e5aa9bc
rpm-devel-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: f7c25590c4fc90a95ebdef7087ceaab2
SHA-256: fe7278b4820f01e3f8ac45ed93dd06f16773c9f59c2a023a3a354c008e6bb24d
rpm-libs-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: 7568eccead16fa13a62115e8276cbad0
SHA-256: 1baf45c607050ef89f147565717aeb8b91b691ca1dff344ef6464e45a9f9d1c0
rpm-python-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: e71e30265e37bb347fbaebbbb6e31a00
SHA-256: 3ebc12fe7630ae79c0e6d5a9fd79be8bdd93c34c426b89a8a0f3c67c9a210bf6
 
IA-64:
popt-1.10.2.3-20.el5_5.1.ia64.rpm
File outdated by:  RHBA-2013:1297
    MD5: 92f2507297299ec13476963c591745ad
SHA-256: dbc6c34dca038b95ef8997f5dbaa719ebc3d19d1db06778089bb25b461ba89b9
rpm-4.4.2.3-20.el5_5.1.ia64.rpm
File outdated by:  RHBA-2013:1297
    MD5: 659acf75e0d99818b0287d45109df700
SHA-256: 6e2af994d8f0402d05018c57221a3c8de603d2925745a10ea6da1ff76ad08144
rpm-apidocs-4.4.2.3-20.el5_5.1.ia64.rpm
File outdated by:  RHBA-2013:1297
    MD5: 8a21054ddca8bc3ede784bfe5c9b9aec
SHA-256: 1f18403f7aec44fc3b1b344269aeb95a175970d57e693f0de264c08e4c3777ae
rpm-build-4.4.2.3-20.el5_5.1.ia64.rpm
File outdated by:  RHBA-2013:1297
    MD5: a8e1a0b5da4d4f7c92a7947a3e4596a8
SHA-256: a22ae7b48a73abdfb19c7697a0b1d4a540ecb6f2a9b83757ed12403aa6089e51
rpm-devel-4.4.2.3-20.el5_5.1.ia64.rpm
File outdated by:  RHBA-2013:1297
    MD5: 4cee5d5c7a252b6fe94f71a82c9acd9e
SHA-256: bcd8eb46d1c99d9d809fc3ad8e79dca1af53bd93c6fe1526240fe17413a26a02
rpm-libs-4.4.2.3-20.el5_5.1.ia64.rpm
File outdated by:  RHBA-2013:1297
    MD5: 7bc2e8cbac6361507be69490c8fd420c
SHA-256: 8a41bc2385763f3c84159ba8b9d730ddd0952b8bd90aa7dd6501b374c32c2eb7
rpm-python-4.4.2.3-20.el5_5.1.ia64.rpm
File outdated by:  RHBA-2013:1297
    MD5: 72410d232c788c22df2993ae7055acec
SHA-256: 1da071a80446c1048f49d13645714062d76a2e9a285ad02e69a41edae0a70f58
 
PPC:
popt-1.10.2.3-20.el5_5.1.ppc.rpm
File outdated by:  RHBA-2013:1297
    MD5: bc1eba6d8554333acf9bdc3a2e623d53
SHA-256: df519b65d2b95b5938cabadc979058479e487aa7ad55cd0a130d890a1c2796d6
popt-1.10.2.3-20.el5_5.1.ppc64.rpm
File outdated by:  RHBA-2013:1297
    MD5: c47fe00608740a2941626681d761794e
SHA-256: 0b7dde6776cbf550fd4dbaeb39a722c95e32603cb2ce6fbb7465bc05aa0683c3
rpm-4.4.2.3-20.el5_5.1.ppc.rpm
File outdated by:  RHBA-2013:1297
    MD5: 00bb775b92343bcaba2e63026c354e56
SHA-256: d250c8cefa8a96cfb17cdee25468df9160ce7256ed0185d29ea6a8310de1730c
rpm-apidocs-4.4.2.3-20.el5_5.1.ppc.rpm
File outdated by:  RHBA-2013:1297
    MD5: a221c7703b6ca078dee8c9142a4d3a98
SHA-256: 6db851f9af55b592b535e022a23a2a2ed9783a21350e7a9726d9ea73cb9b8f81
rpm-build-4.4.2.3-20.el5_5.1.ppc.rpm
File outdated by:  RHBA-2013:1297
    MD5: c07abc4a5331ba4f4938011ea062fc5c
SHA-256: f46e36ec24ba04271e21fde235eada78d0249d3c8213e92f880ff8f6474cb647
rpm-devel-4.4.2.3-20.el5_5.1.ppc.rpm
File outdated by:  RHBA-2013:1297
    MD5: 216e975d7e7af72f56a47dd94ecddd54
SHA-256: 824aadcb10893b5f623e2d4be4e2abb35234d87444884f3b206ccd210363fa4a
rpm-devel-4.4.2.3-20.el5_5.1.ppc64.rpm
File outdated by:  RHBA-2013:1297
    MD5: 3143e4c91163b2e0ce1ab89241390351
SHA-256: ec901fdb164c504016cd3e93993cfd9f4d131b5b44c44637312add3462b81dcc
rpm-libs-4.4.2.3-20.el5_5.1.ppc.rpm
File outdated by:  RHBA-2013:1297
    MD5: c5d13756f855c0acca0ae5d99fee41b1
SHA-256: de830acdb89adf305b581937e4112c279b1b6c9359cf02ce1aae1c41642c7ddd
rpm-libs-4.4.2.3-20.el5_5.1.ppc64.rpm
File outdated by:  RHBA-2013:1297
    MD5: a567c79c3bd0745c33f5f256066db10c
SHA-256: 22d9b4230e0639e4303666c9cd19e17fc1e1a19b0983317b5cde466249ba3f56
rpm-python-4.4.2.3-20.el5_5.1.ppc.rpm
File outdated by:  RHBA-2013:1297
    MD5: 881343c81837dd28197ac0836c4831d8
SHA-256: e7333582f9f27cac749dc0375cce53acd84161a73db0470c2ea711ffb961dfef
 
s390x:
popt-1.10.2.3-20.el5_5.1.s390.rpm
File outdated by:  RHBA-2013:1297
    MD5: ae59d95068cca583ead2c298f362681b
SHA-256: 2d9b8da4a716f92c45f9b0dc5750e24c17c4a817974676b64bd480885a567841
popt-1.10.2.3-20.el5_5.1.s390x.rpm
File outdated by:  RHBA-2013:1297
    MD5: f3e2d01442171c0e698c3e52ace4644e
SHA-256: a578ee2fe6b6523aa2ac54698bf331d4e3a31398472aa4f9af3c309ee25f7b4f
rpm-4.4.2.3-20.el5_5.1.s390x.rpm
File outdated by:  RHBA-2013:1297
    MD5: c49e6247ab550348320168c7b0dc0c3f
SHA-256: bcf23e71d133fd5199fd409bd57875f1c62dd52c66369292a9bf52514b6bb445
rpm-apidocs-4.4.2.3-20.el5_5.1.s390x.rpm
File outdated by:  RHBA-2013:1297
    MD5: 961285f1fa79f6f5b273145c48255665
SHA-256: d6508c43de384c5efe2af649f6c0bb225ee76f7735151f539546ca8dc39aab94
rpm-build-4.4.2.3-20.el5_5.1.s390x.rpm
File outdated by:  RHBA-2013:1297
    MD5: 42ab81269b88a1993ee29959db641669
SHA-256: 417cccd2d7cb18621c1ff4c14f064d8217465845815c02b0b888d81957459c13
rpm-devel-4.4.2.3-20.el5_5.1.s390.rpm
File outdated by:  RHBA-2013:1297
    MD5: 0609be7851edec5a8dc40dda5d3ac84d
SHA-256: eeef108bc795fd3201754c5d010fb8ccf6c05ed705f35fccbf75d505ca887a92
rpm-devel-4.4.2.3-20.el5_5.1.s390x.rpm
File outdated by:  RHBA-2013:1297
    MD5: 7cc8016fdfd84df603867f9dc7a04f51
SHA-256: e3cf7bacd3a619a7c917f19a437adfd44fabb9a54e336a7bd4f0f9cc4ab9f1cd
rpm-libs-4.4.2.3-20.el5_5.1.s390.rpm
File outdated by:  RHBA-2013:1297
    MD5: 17ecb880e5ae9bfe1129b67cd8f987e7
SHA-256: 5f04a81d74ee7795089859a3703fe7d253d85a5dcd7dcb57346e9af751a0c867
rpm-libs-4.4.2.3-20.el5_5.1.s390x.rpm
File outdated by:  RHBA-2013:1297
    MD5: b4ee1b63b56315ca5ce53fedfcd81a80
SHA-256: b896388eff9c8b0d2031775275f133031f6f5fb7bbfa79d3f4530123cf4cac57
rpm-python-4.4.2.3-20.el5_5.1.s390x.rpm
File outdated by:  RHBA-2013:1297
    MD5: 71dad104f693475b90d84f7a45c7d055
SHA-256: 57c39e497be228f5905eb47b70609d907107135231e300c4a9d5551e7b7ef630
 
x86_64:
popt-1.10.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: fb3cfb7259613314237c4244c75c4024
SHA-256: c879318615763f9ad0479f4e5a003b44c133d05e7ffcac8f26917d6fc036ede7
popt-1.10.2.3-20.el5_5.1.x86_64.rpm
File outdated by:  RHBA-2013:1297
    MD5: fbc3859605ab654c8998636057833049
SHA-256: 5ac0dcec6fcf4ecbbfa82e3b3a69fd67047929336dbd71835c15f0e1b2ae5a8a
rpm-4.4.2.3-20.el5_5.1.x86_64.rpm
File outdated by:  RHBA-2013:1297
    MD5: 4a515477106d826a4e00a8091921947d
SHA-256: c1e97c9bd27608178bf5e66af4ff54bf33b3c373cea6edeffbfabc24714126ce
rpm-apidocs-4.4.2.3-20.el5_5.1.x86_64.rpm
File outdated by:  RHBA-2013:1297
    MD5: e5d14a77a98de75ead8a4ef06c7da4e7
SHA-256: c87dbc0f47acf3bad9942d5b0de6a4a087580278dc5043a96eb590cb8ea834c5
rpm-build-4.4.2.3-20.el5_5.1.x86_64.rpm
File outdated by:  RHBA-2013:1297
    MD5: 6795fa9da8d0486d8f09bf7305b8e4cf
SHA-256: fc9157d2492b2611dd9a6bd5601226a7e0f915106b1d74fbe5855939ec893afa
rpm-devel-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: f7c25590c4fc90a95ebdef7087ceaab2
SHA-256: fe7278b4820f01e3f8ac45ed93dd06f16773c9f59c2a023a3a354c008e6bb24d
rpm-devel-4.4.2.3-20.el5_5.1.x86_64.rpm
File outdated by:  RHBA-2013:1297
    MD5: fb7eecee162d9e55e42a4d861e9483ef
SHA-256: bd521d09467339619672fce5561a30fe95e569e7d445f630fb1531def20042a5
rpm-libs-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: 7568eccead16fa13a62115e8276cbad0
SHA-256: 1baf45c607050ef89f147565717aeb8b91b691ca1dff344ef6464e45a9f9d1c0
rpm-libs-4.4.2.3-20.el5_5.1.x86_64.rpm
File outdated by:  RHBA-2013:1297
    MD5: c39aae6cc2f7451dc945c74ee2181095
SHA-256: 344065896b9e1444563827810cf1e881cfd6acf7abcfc9cc1676a69864679eba
rpm-python-4.4.2.3-20.el5_5.1.x86_64.rpm
File outdated by:  RHBA-2013:1297
    MD5: 6ef15568df7139409425ce2305401a09
SHA-256: 7e75b19a27f2dab2ad6fbc31f7b09dd7b6d9adc4dd5f96ef0ae4449014d27efe
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
rpm-4.4.2.3-20.el5_5.1.src.rpm
File outdated by:  RHBA-2013:1297
    MD5: 9310b536e45f3f1ba748d1d3b25c3be0
SHA-256: 869d80aa7515908038c5f01381be092899e8820040157e1cb9d1191a61ab6a05
 
IA-32:
popt-1.10.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: fb3cfb7259613314237c4244c75c4024
SHA-256: c879318615763f9ad0479f4e5a003b44c133d05e7ffcac8f26917d6fc036ede7
rpm-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: ccd0d822e3e565487368d193ee8da70f
SHA-256: 0fd80611e6889777a500c2afe32c60b36ce1f062819914ec6d7b914ccd5370ef
rpm-libs-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: 7568eccead16fa13a62115e8276cbad0
SHA-256: 1baf45c607050ef89f147565717aeb8b91b691ca1dff344ef6464e45a9f9d1c0
rpm-python-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: e71e30265e37bb347fbaebbbb6e31a00
SHA-256: 3ebc12fe7630ae79c0e6d5a9fd79be8bdd93c34c426b89a8a0f3c67c9a210bf6
 
x86_64:
popt-1.10.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: fb3cfb7259613314237c4244c75c4024
SHA-256: c879318615763f9ad0479f4e5a003b44c133d05e7ffcac8f26917d6fc036ede7
popt-1.10.2.3-20.el5_5.1.x86_64.rpm
File outdated by:  RHBA-2013:1297
    MD5: fbc3859605ab654c8998636057833049
SHA-256: 5ac0dcec6fcf4ecbbfa82e3b3a69fd67047929336dbd71835c15f0e1b2ae5a8a
rpm-4.4.2.3-20.el5_5.1.x86_64.rpm
File outdated by:  RHBA-2013:1297
    MD5: 4a515477106d826a4e00a8091921947d
SHA-256: c1e97c9bd27608178bf5e66af4ff54bf33b3c373cea6edeffbfabc24714126ce
rpm-libs-4.4.2.3-20.el5_5.1.i386.rpm
File outdated by:  RHBA-2013:1297
    MD5: 7568eccead16fa13a62115e8276cbad0
SHA-256: 1baf45c607050ef89f147565717aeb8b91b691ca1dff344ef6464e45a9f9d1c0
rpm-libs-4.4.2.3-20.el5_5.1.x86_64.rpm
File outdated by:  RHBA-2013:1297
    MD5: c39aae6cc2f7451dc945c74ee2181095
SHA-256: 344065896b9e1444563827810cf1e881cfd6acf7abcfc9cc1676a69864679eba
rpm-python-4.4.2.3-20.el5_5.1.x86_64.rpm
File outdated by:  RHBA-2013:1297
    MD5: 6ef15568df7139409425ce2305401a09
SHA-256: 7e75b19a27f2dab2ad6fbc31f7b09dd7b6d9adc4dd5f96ef0ae4449014d27efe
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

598775 - CVE-2010-2059 rpm: fails to drop SUID/SGID bits on package upgrade
627630 - rpm: selinux context initialization memory leak


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/