製品・ソフトウェアに関する情報

JVN脆弱性詳細

RPM におけるサービス運用妨害 (クラッシュ) の脆弱性

Title	RPM におけるサービス運用妨害 (クラッシュ) の脆弱性
Summary	RPM は、region タグを適切に検証しないため、サービス運用妨害 (クラッシュ) 状態にされる、および任意のコードを実行される脆弱性が存在します。
Possible impacts	第三者により、(1) headerLoad、(2) rpmReadSignature、または (3) headerVerify 関数の package ヘッダ内の無効な region タグを介して、サービス運用妨害 (クラッシュ) 状態にされる、および任意のコードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 4, 2012, midnight
Registration Date	June 6, 2012, 2:28 p.m.
Last Update	Dec. 17, 2012, 4:26 p.m.

CVSS2.0 : 警告
Score	6.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:P

Affected System

VMware

VMware ESX 3.5

VMware ESX 4.0

VMware ESX 4.1

VMware ESXi

RPM

RPM Package Manager 4.9.1.3 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-0060	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0060
National Vulnerability Database (NVD)
2	CVE-2012-0060	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0060

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Fedora Update Notification
1	FEDORA-2012-5298	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077960.html
2	FEDORA-2012-5420	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078819.html
3	FEDORA-2012-5421	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078907.html
opensuse-security-announce
4	openSUSE-SU-2012:0588	https://hermes.opensuse.org/messages/14440932
5	openSUSE-SU-2012:0589	https://hermes.opensuse.org/messages/14441362
Red Hat Bugzilla
6	Bug 744858	https://bugzilla.redhat.com/show_bug.cgi?id=744858
Red Hat Security Advisory
7	RHSA-2012:0451	http://rhn.redhat.com/errata/RHSA-2012-0451.html
RPM
8	Differentiate between non-existent and invalid region tag	http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=f23998251992b8ae25faf5113c42fee2c49c7f29
9	RPM 4.9.1.3 Release Notes	http://rpm.org/wiki/Releases/4.9.1.3
10	Specifically validate region tag on header import	http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190
VMware Security Advisories
11	VMSA-2012-0013	http://www.vmware.com/jp/support/support-resources/advisories/VMSA-2012-0013.html

Change Log

No	Changed Details	Date of change
0	[2012年06月06日] 掲載 [2012年06月08日] CVSS による深刻度：基本値と脆弱性評価基準を変更 [2012年08月27日] ベンダ情報：Fedora Project (FEDORA-2012-5421) を追加ベンダ情報：Fedora Project (FEDORA-2012-5420) を追加ベンダ情報：Fedora Project (FEDORA-2012-5298) を追加 [2012年12月17日] 影響を受けるシステム：VMware (VMSA-2012-0013) の情報を追加ベンダ情報：VMware (VMSA-2012-0013) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2012-0060

Summary	RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.
Publication Date	June 5, 2012, 5:55 a.m.
Registration Date	Jan. 28, 2021, 2:52 p.m.
Last Update	Nov. 21, 2024, 10:34 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:rpm:rpm:2.3.5:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.1:::::::*
cpe:2.3:a:rpm:rpm:1.4.3:::::::*
cpe:2.3:a:rpm:rpm:3.0.1:::::::*
cpe:2.3:a:rpm:rpm:4.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.3.11:::::::*
cpe:2.3:a:rpm:rpm:4.8.0:::::::*
cpe:2.3:a:rpm:rpm:2.4.4:::::::*
cpe:2.3:a:rpm:rpm:2.3.8:::::::*
cpe:2.3:a:rpm:rpm:2.0.6:::::::*
cpe:2.3:a:rpm:rpm:1.4.4:::::::*
cpe:2.3:a:rpm:rpm:1.4.2\/a:::::::*
cpe:2.3:a:rpm:rpm:2.4.1:::::::*
cpe:2.3:a:rpm:rpm:2.4.9:::::::*
cpe:2.3:a:rpm:rpm:2.6.7:::::::*
cpe:2.3:a:rpm:rpm::::::::		4.9.1.2
cpe:2.3:a:rpm:rpm:1.4:::::::*
cpe:2.3:a:rpm:rpm:2.0.10:::::::*
cpe:2.3:a:rpm:rpm:2.4.5:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:alpha::::::
cpe:2.3:a:rpm:rpm:4.0.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.11:::::::*
cpe:2.3:a:rpm:rpm:4.0.4:::::::*
cpe:2.3:a:rpm:rpm:2.2.1:::::::*
cpe:2.3:a:rpm:rpm:2.0.1:::::::*
cpe:2.3:a:rpm:rpm:1.4.2:::::::*
cpe:2.3:a:rpm:rpm:3.0.3:::::::*
cpe:2.3:a:rpm:rpm:2.0.7:::::::*
cpe:2.3:a:rpm:rpm:4.0.2:::::::*
cpe:2.3:a:rpm:rpm:2.2.8:::::::*
cpe:2.3:a:rpm:rpm:3.0.2:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:::::::*
cpe:2.3:a:rpm:rpm:1.2:::::::*
cpe:2.3:a:rpm:rpm:4.0.:::::::*
cpe:2.3:a:rpm:rpm:2.1.1:::::::*
cpe:2.3:a:rpm:rpm:4.3.3:::::::*
cpe:2.3:a:rpm:rpm:2.5.5:::::::*
cpe:2.3:a:rpm:rpm:2.0.8:::::::*
cpe:2.3:a:rpm:rpm:4.8.1:::::::*
cpe:2.3:a:rpm:rpm:2.3:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.2:::::::*
cpe:2.3:a:rpm:rpm:2.4.8:::::::*
cpe:2.3:a:rpm:rpm:3.0.4:::::::*
cpe:2.3:a:rpm:rpm:2.5.6:::::::*
cpe:2.3:a:rpm:rpm:2.0:::::::*
cpe:2.3:a:rpm:rpm:2.0.2:::::::*
cpe:2.3:a:rpm:rpm:2.3.2:::::::*
cpe:2.3:a:rpm:rpm:2.4.3:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:::::::*
cpe:2.3:a:rpm:rpm:2.4.2:::::::*
cpe:2.3:a:rpm:rpm:1.4.5:::::::*
cpe:2.3:a:rpm:rpm:2.0.11:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:rc1::::::
cpe:2.3:a:rpm:rpm:3.0.5:::::::*
cpe:2.3:a:rpm:rpm:1.3:::::::*
cpe:2.3:a:rpm:rpm:4.7.2:::::::*
cpe:2.3:a:rpm:rpm:4.9.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.3:::::::*
cpe:2.3:a:rpm:rpm:2.2:::::::*
cpe:2.3:a:rpm:rpm:2.1.2:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc2::::::
cpe:2.3:a:rpm:rpm:2.3.9:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc1::::::
cpe:2.3:a:rpm:rpm:2.2.4:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc3::::::
cpe:2.3:a:rpm:rpm:2.2.9:::::::*
cpe:2.3:a:rpm:rpm:2.5.3:::::::*
cpe:2.3:a:rpm:rpm:2.2.6:::::::*
cpe:2.3:a:rpm:rpm:4.7.0:::::::*
cpe:2.3:a:rpm:rpm:2.3.6:::::::*
cpe:2.3:a:rpm:rpm:2.5:::::::*
cpe:2.3:a:rpm:rpm:2.2.3.10:::::::*
cpe:2.3:a:rpm:rpm:4.9.1.1:::::::*
cpe:2.3:a:rpm:rpm:2.0.5:::::::*
cpe:2.3:a:rpm:rpm:1.4.1:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.3:::::::*
cpe:2.3:a:rpm:rpm:2.4.12:::::::*
cpe:2.3:a:rpm:rpm:2.5.4:::::::*
cpe:2.3:a:rpm:rpm:4.6.1:::::::*
cpe:2.3:a:rpm:rpm:1.4.7:::::::*
cpe:2.3:a:rpm:rpm:3.0:::::::*
cpe:2.3:a:rpm:rpm:1.4.6:::::::*
cpe:2.3:a:rpm:rpm:2.5.2:::::::*
cpe:2.3:a:rpm:rpm:2.4.11:::::::*
cpe:2.3:a:rpm:rpm:2.0.9:::::::*
cpe:2.3:a:rpm:rpm:2.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.10:::::::*
cpe:2.3:a:rpm:rpm:2.3.3:::::::*
cpe:2.3:a:rpm:rpm:2.3.7:::::::*
cpe:2.3:a:rpm:rpm:2.3.4:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc4::::::
cpe:2.3:a:rpm:rpm:4.7.1:::::::*
cpe:2.3:a:rpm:rpm:2.0.4:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:beta1::::::
cpe:2.3:a:rpm:rpm:1.3.1:::::::*
cpe:2.3:a:rpm:rpm:3.0.6:::::::*
cpe:2.3:a:rpm:rpm:2.0.3:::::::*
cpe:2.3:a:rpm:rpm:2.3.1:::::::*
cpe:2.3:a:rpm:rpm:4.0.3:::::::*
cpe:2.3:a:rpm:rpm:2.4.6:::::::*
cpe:2.3:a:rpm:rpm:4.5.90:::::::*
cpe:2.3:a:rpm:rpm:2.5.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.5:::::::*
cpe:2.3:a:rpm:rpm:2.2.2:::::::*
cpe:2.3:a:rpm:rpm:2.2.7:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077960.html
2	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078819.html
3	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078907.html
4	http://rhn.redhat.com/errata/RHSA-2012-0451.html
5	http://rhn.redhat.com/errata/RHSA-2012-0531.html
6	http://rpm.org/gitweb?p=rpm.git%3Ba=commitdiff%3Bh=e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190
7	http://rpm.org/gitweb?p=rpm.git%3Ba=commitdiff%3Bh=f23998251992b8ae25faf5113c42fee2c49c7f29
8	http://rpm.org/wiki/Releases/4.9.1.3
9	http://secunia.com/advisories/48651	Vendor Advisory
10	http://secunia.com/advisories/48716	Vendor Advisory
11	http://secunia.com/advisories/49110	Vendor Advisory
12	http://www.mandriva.com/security/advisories?name=MDVSA-2012:056
13	http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
14	http://www.osvdb.org/81010
15	http://www.securityfocus.com/bid/52865
16	http://www.securitytracker.com/id?1026882
17	http://www.ubuntu.com/usn/USN-1695-1
18	https://bugzilla.redhat.com/show_bug.cgi?id=744858
19	https://exchange.xforce.ibmcloud.com/vulnerabilities/74582
20	https://hermes.opensuse.org/messages/14440932
21	https://hermes.opensuse.org/messages/14441362
22	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077960.html
23	https://hermes.opensuse.org/messages/14441362
24	https://hermes.opensuse.org/messages/14440932
25	https://exchange.xforce.ibmcloud.com/vulnerabilities/74582
26	https://bugzilla.redhat.com/show_bug.cgi?id=744858
27	http://www.ubuntu.com/usn/USN-1695-1
28	http://www.securitytracker.com/id?1026882
29	http://www.securityfocus.com/bid/52865
30	http://www.osvdb.org/81010
31	http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
32	http://www.mandriva.com/security/advisories?name=MDVSA-2012:056
33	http://secunia.com/advisories/49110	Vendor Advisory
34	http://secunia.com/advisories/48716	Vendor Advisory
35	http://secunia.com/advisories/48651	Vendor Advisory
36	http://rpm.org/wiki/Releases/4.9.1.3
37	http://rpm.org/gitweb?p=rpm.git%3Ba=commitdiff%3Bh=f23998251992b8ae25faf5113c42fee2c49c7f29
38	http://rpm.org/gitweb?p=rpm.git%3Ba=commitdiff%3Bh=e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190
39	http://rhn.redhat.com/errata/RHSA-2012-0531.html
40	http://rhn.redhat.com/errata/RHSA-2012-0451.html
41	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078907.html
42	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078819.html

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:rpm:rpm:2.3.5:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.1:::::::*
cpe:2.3:a:rpm:rpm:1.4.3:::::::*
cpe:2.3:a:rpm:rpm:3.0.1:::::::*
cpe:2.3:a:rpm:rpm:4.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.3.11:::::::*
cpe:2.3:a:rpm:rpm:4.8.0:::::::*
cpe:2.3:a:rpm:rpm:2.4.4:::::::*
cpe:2.3:a:rpm:rpm:2.3.8:::::::*
cpe:2.3:a:rpm:rpm:2.0.6:::::::*
cpe:2.3:a:rpm:rpm:1.4.4:::::::*
cpe:2.3:a:rpm:rpm:1.4.2\/a:::::::*
cpe:2.3:a:rpm:rpm:2.4.1:::::::*
cpe:2.3:a:rpm:rpm:2.4.9:::::::*
cpe:2.3:a:rpm:rpm:2.6.7:::::::*
cpe:2.3:a:rpm:rpm::::::::		4.9.1.2
cpe:2.3:a:rpm:rpm:1.4:::::::*
cpe:2.3:a:rpm:rpm:2.0.10:::::::*
cpe:2.3:a:rpm:rpm:2.4.5:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:alpha::::::
cpe:2.3:a:rpm:rpm:4.0.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.11:::::::*
cpe:2.3:a:rpm:rpm:4.0.4:::::::*
cpe:2.3:a:rpm:rpm:2.2.1:::::::*
cpe:2.3:a:rpm:rpm:2.0.1:::::::*
cpe:2.3:a:rpm:rpm:1.4.2:::::::*
cpe:2.3:a:rpm:rpm:3.0.3:::::::*
cpe:2.3:a:rpm:rpm:2.0.7:::::::*
cpe:2.3:a:rpm:rpm:4.0.2:::::::*
cpe:2.3:a:rpm:rpm:2.2.8:::::::*
cpe:2.3:a:rpm:rpm:3.0.2:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:::::::*
cpe:2.3:a:rpm:rpm:1.2:::::::*
cpe:2.3:a:rpm:rpm:4.0.:::::::*
cpe:2.3:a:rpm:rpm:2.1.1:::::::*
cpe:2.3:a:rpm:rpm:4.3.3:::::::*
cpe:2.3:a:rpm:rpm:2.5.5:::::::*
cpe:2.3:a:rpm:rpm:2.0.8:::::::*
cpe:2.3:a:rpm:rpm:4.8.1:::::::*
cpe:2.3:a:rpm:rpm:2.3:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.2:::::::*
cpe:2.3:a:rpm:rpm:2.4.8:::::::*
cpe:2.3:a:rpm:rpm:3.0.4:::::::*
cpe:2.3:a:rpm:rpm:2.5.6:::::::*
cpe:2.3:a:rpm:rpm:2.0:::::::*
cpe:2.3:a:rpm:rpm:2.0.2:::::::*
cpe:2.3:a:rpm:rpm:2.3.2:::::::*
cpe:2.3:a:rpm:rpm:2.4.3:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:::::::*
cpe:2.3:a:rpm:rpm:2.4.2:::::::*
cpe:2.3:a:rpm:rpm:1.4.5:::::::*
cpe:2.3:a:rpm:rpm:2.0.11:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:rc1::::::
cpe:2.3:a:rpm:rpm:3.0.5:::::::*
cpe:2.3:a:rpm:rpm:1.3:::::::*
cpe:2.3:a:rpm:rpm:4.7.2:::::::*
cpe:2.3:a:rpm:rpm:4.9.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.3:::::::*
cpe:2.3:a:rpm:rpm:2.2:::::::*
cpe:2.3:a:rpm:rpm:2.1.2:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc2::::::
cpe:2.3:a:rpm:rpm:2.3.9:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc1::::::
cpe:2.3:a:rpm:rpm:2.2.4:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc3::::::
cpe:2.3:a:rpm:rpm:2.2.9:::::::*
cpe:2.3:a:rpm:rpm:2.5.3:::::::*
cpe:2.3:a:rpm:rpm:2.2.6:::::::*
cpe:2.3:a:rpm:rpm:4.7.0:::::::*
cpe:2.3:a:rpm:rpm:2.3.6:::::::*
cpe:2.3:a:rpm:rpm:2.5:::::::*
cpe:2.3:a:rpm:rpm:2.2.3.10:::::::*
cpe:2.3:a:rpm:rpm:4.9.1.1:::::::*
cpe:2.3:a:rpm:rpm:2.0.5:::::::*
cpe:2.3:a:rpm:rpm:1.4.1:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.3:::::::*
cpe:2.3:a:rpm:rpm:2.4.12:::::::*
cpe:2.3:a:rpm:rpm:2.5.4:::::::*
cpe:2.3:a:rpm:rpm:4.6.1:::::::*
cpe:2.3:a:rpm:rpm:1.4.7:::::::*
cpe:2.3:a:rpm:rpm:3.0:::::::*
cpe:2.3:a:rpm:rpm:1.4.6:::::::*
cpe:2.3:a:rpm:rpm:2.5.2:::::::*
cpe:2.3:a:rpm:rpm:2.4.11:::::::*
cpe:2.3:a:rpm:rpm:2.0.9:::::::*
cpe:2.3:a:rpm:rpm:2.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.10:::::::*
cpe:2.3:a:rpm:rpm:2.3.3:::::::*
cpe:2.3:a:rpm:rpm:2.3.7:::::::*
cpe:2.3:a:rpm:rpm:2.3.4:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc4::::::
cpe:2.3:a:rpm:rpm:4.7.1:::::::*
cpe:2.3:a:rpm:rpm:2.0.4:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:beta1::::::
cpe:2.3:a:rpm:rpm:1.3.1:::::::*
cpe:2.3:a:rpm:rpm:3.0.6:::::::*
cpe:2.3:a:rpm:rpm:2.0.3:::::::*
cpe:2.3:a:rpm:rpm:2.3.1:::::::*
cpe:2.3:a:rpm:rpm:4.0.3:::::::*
cpe:2.3:a:rpm:rpm:2.4.6:::::::*
cpe:2.3:a:rpm:rpm:4.5.90:::::::*
cpe:2.3:a:rpm:rpm:2.5.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.5:::::::*
cpe:2.3:a:rpm:rpm:2.2.2:::::::*
cpe:2.3:a:rpm:rpm:2.2.7:::::::*