---------------------------------------------------------------------- Become a PSI 3.0 beta tester! Test-drive the new beta version and tell us what you think about its extended automatic update function and significantly enhanced user-interface. Download it here! http://secunia.com/psi_30_beta_launch ---------------------------------------------------------------------- TITLE: Gentoo update for rpm SECUNIA ADVISORY ID: SA49680 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/49680/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=49680 RELEASE DATE: 2012-06-25 DISCUSS ADVISORY: http://secunia.com/advisories/49680/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/49680/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=49680 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Gentoo has issued an update for rpm. This fixes multiple weaknesses and vulnerabilities, which can be exploited by malicious, local users to bypass certain access restrictions and gain escalated privileges and by malicious people to manipulate certain data and compromise a user's system. For more information: SA40028 SA46096 SA48651 1) An error when parsing spec files can be exploited to remove home directories via a ";~" sequence in a Name tag. 2) An error when replacing or deleting a file in an RPM package does not properly reset the metadata and can be exploited to bypass access restrictions via a hard link to a vulnerable file with a POSIX ACL. SOLUTION: Update to "app-arch/rpm-4.9.1.3" or later. ORIGINAL ADVISORY: GLSA 201206-26: http://www.gentoo.org/security/en/glsa/glsa-201206-26.xml OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------