製品・ソフトウェアに関する情報

JVN脆弱性詳細

RPM におけるサービス運用妨害 (クラッシュ) の脆弱性

タイトル	RPM におけるサービス運用妨害 (クラッシュ) の脆弱性
概要	RPM は、region タグを適切に検証しないため、サービス運用妨害 (クラッシュ) 状態にされる、および任意のコードを実行される脆弱性が存在します。
想定される影響	第三者により、(1) headerLoad、(2) rpmReadSignature、または (3) headerVerify 関数の package ヘッダ内の無効な region タグを介して、サービス運用妨害 (クラッシュ) 状態にされる、および任意のコードを実行される可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2012年6月4日0:00
登録日	2012年6月6日14:28
最終更新日	2012年12月17日16:26

CVSS2.0 : 警告
スコア	6.8
ベクター	AV:N/AC:M/Au:N/C:P/I:P/A:P

影響を受けるシステム

VMware

VMware ESX 3.5

VMware ESX 4.0

VMware ESX 4.1

VMware ESXi

RPM

RPM Package Manager 4.9.1.3 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-0060	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0060
National Vulnerability Database (NVD)
2	CVE-2012-0060	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0060

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	名前	URL
Fedora Update Notification
1	FEDORA-2012-5298	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077960.html
2	FEDORA-2012-5420	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078819.html
3	FEDORA-2012-5421	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078907.html
opensuse-security-announce
4	openSUSE-SU-2012:0588	https://hermes.opensuse.org/messages/14440932
5	openSUSE-SU-2012:0589	https://hermes.opensuse.org/messages/14441362
Red Hat Bugzilla
6	Bug 744858	https://bugzilla.redhat.com/show_bug.cgi?id=744858
Red Hat Security Advisory
7	RHSA-2012:0451	http://rhn.redhat.com/errata/RHSA-2012-0451.html
RPM
8	Differentiate between non-existent and invalid region tag	http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=f23998251992b8ae25faf5113c42fee2c49c7f29
9	RPM 4.9.1.3 Release Notes	http://rpm.org/wiki/Releases/4.9.1.3
10	Specifically validate region tag on header import	http://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190
VMware Security Advisories
11	VMSA-2012-0013	http://www.vmware.com/jp/support/support-resources/advisories/VMSA-2012-0013.html

変更履歴

No	変更内容	変更日
0	[2012年06月06日] 掲載 [2012年06月08日] CVSS による深刻度：基本値と脆弱性評価基準を変更 [2012年08月27日] ベンダ情報：Fedora Project (FEDORA-2012-5421) を追加ベンダ情報：Fedora Project (FEDORA-2012-5420) を追加ベンダ情報：Fedora Project (FEDORA-2012-5298) を追加 [2012年12月17日] 影響を受けるシステム：VMware (VMSA-2012-0013) の情報を追加ベンダ情報：VMware (VMSA-2012-0013) を追加	2018年2月17日10:37

NVD脆弱性情報

CVE-2012-0060

概要	RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.
公表日	2012年6月5日5:55
登録日	2021年1月28日14:52
最終更新日	2024年11月21日10:34

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:rpm:rpm:2.3.5:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.1:::::::*
cpe:2.3:a:rpm:rpm:1.4.3:::::::*
cpe:2.3:a:rpm:rpm:3.0.1:::::::*
cpe:2.3:a:rpm:rpm:4.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.3.11:::::::*
cpe:2.3:a:rpm:rpm:4.8.0:::::::*
cpe:2.3:a:rpm:rpm:2.4.4:::::::*
cpe:2.3:a:rpm:rpm:2.3.8:::::::*
cpe:2.3:a:rpm:rpm:2.0.6:::::::*
cpe:2.3:a:rpm:rpm:1.4.4:::::::*
cpe:2.3:a:rpm:rpm:1.4.2\/a:::::::*
cpe:2.3:a:rpm:rpm:2.4.1:::::::*
cpe:2.3:a:rpm:rpm:2.4.9:::::::*
cpe:2.3:a:rpm:rpm:2.6.7:::::::*
cpe:2.3:a:rpm:rpm::::::::		4.9.1.2
cpe:2.3:a:rpm:rpm:1.4:::::::*
cpe:2.3:a:rpm:rpm:2.0.10:::::::*
cpe:2.3:a:rpm:rpm:2.4.5:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:alpha::::::
cpe:2.3:a:rpm:rpm:4.0.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.11:::::::*
cpe:2.3:a:rpm:rpm:4.0.4:::::::*
cpe:2.3:a:rpm:rpm:2.2.1:::::::*
cpe:2.3:a:rpm:rpm:2.0.1:::::::*
cpe:2.3:a:rpm:rpm:1.4.2:::::::*
cpe:2.3:a:rpm:rpm:3.0.3:::::::*
cpe:2.3:a:rpm:rpm:2.0.7:::::::*
cpe:2.3:a:rpm:rpm:4.0.2:::::::*
cpe:2.3:a:rpm:rpm:2.2.8:::::::*
cpe:2.3:a:rpm:rpm:3.0.2:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:::::::*
cpe:2.3:a:rpm:rpm:1.2:::::::*
cpe:2.3:a:rpm:rpm:4.0.:::::::*
cpe:2.3:a:rpm:rpm:2.1.1:::::::*
cpe:2.3:a:rpm:rpm:4.3.3:::::::*
cpe:2.3:a:rpm:rpm:2.5.5:::::::*
cpe:2.3:a:rpm:rpm:2.0.8:::::::*
cpe:2.3:a:rpm:rpm:4.8.1:::::::*
cpe:2.3:a:rpm:rpm:2.3:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.2:::::::*
cpe:2.3:a:rpm:rpm:2.4.8:::::::*
cpe:2.3:a:rpm:rpm:3.0.4:::::::*
cpe:2.3:a:rpm:rpm:2.5.6:::::::*
cpe:2.3:a:rpm:rpm:2.0:::::::*
cpe:2.3:a:rpm:rpm:2.0.2:::::::*
cpe:2.3:a:rpm:rpm:2.3.2:::::::*
cpe:2.3:a:rpm:rpm:2.4.3:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:::::::*
cpe:2.3:a:rpm:rpm:2.4.2:::::::*
cpe:2.3:a:rpm:rpm:1.4.5:::::::*
cpe:2.3:a:rpm:rpm:2.0.11:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:rc1::::::
cpe:2.3:a:rpm:rpm:3.0.5:::::::*
cpe:2.3:a:rpm:rpm:1.3:::::::*
cpe:2.3:a:rpm:rpm:4.7.2:::::::*
cpe:2.3:a:rpm:rpm:4.9.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.3:::::::*
cpe:2.3:a:rpm:rpm:2.2:::::::*
cpe:2.3:a:rpm:rpm:2.1.2:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc2::::::
cpe:2.3:a:rpm:rpm:2.3.9:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc1::::::
cpe:2.3:a:rpm:rpm:2.2.4:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc3::::::
cpe:2.3:a:rpm:rpm:2.2.9:::::::*
cpe:2.3:a:rpm:rpm:2.5.3:::::::*
cpe:2.3:a:rpm:rpm:2.2.6:::::::*
cpe:2.3:a:rpm:rpm:4.7.0:::::::*
cpe:2.3:a:rpm:rpm:2.3.6:::::::*
cpe:2.3:a:rpm:rpm:2.5:::::::*
cpe:2.3:a:rpm:rpm:2.2.3.10:::::::*
cpe:2.3:a:rpm:rpm:4.9.1.1:::::::*
cpe:2.3:a:rpm:rpm:2.0.5:::::::*
cpe:2.3:a:rpm:rpm:1.4.1:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.3:::::::*
cpe:2.3:a:rpm:rpm:2.4.12:::::::*
cpe:2.3:a:rpm:rpm:2.5.4:::::::*
cpe:2.3:a:rpm:rpm:4.6.1:::::::*
cpe:2.3:a:rpm:rpm:1.4.7:::::::*
cpe:2.3:a:rpm:rpm:3.0:::::::*
cpe:2.3:a:rpm:rpm:1.4.6:::::::*
cpe:2.3:a:rpm:rpm:2.5.2:::::::*
cpe:2.3:a:rpm:rpm:2.4.11:::::::*
cpe:2.3:a:rpm:rpm:2.0.9:::::::*
cpe:2.3:a:rpm:rpm:2.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.10:::::::*
cpe:2.3:a:rpm:rpm:2.3.3:::::::*
cpe:2.3:a:rpm:rpm:2.3.7:::::::*
cpe:2.3:a:rpm:rpm:2.3.4:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc4::::::
cpe:2.3:a:rpm:rpm:4.7.1:::::::*
cpe:2.3:a:rpm:rpm:2.0.4:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:beta1::::::
cpe:2.3:a:rpm:rpm:1.3.1:::::::*
cpe:2.3:a:rpm:rpm:3.0.6:::::::*
cpe:2.3:a:rpm:rpm:2.0.3:::::::*
cpe:2.3:a:rpm:rpm:2.3.1:::::::*
cpe:2.3:a:rpm:rpm:4.0.3:::::::*
cpe:2.3:a:rpm:rpm:2.4.6:::::::*
cpe:2.3:a:rpm:rpm:4.5.90:::::::*
cpe:2.3:a:rpm:rpm:2.5.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.5:::::::*
cpe:2.3:a:rpm:rpm:2.2.2:::::::*
cpe:2.3:a:rpm:rpm:2.2.7:::::::*

関連情報、対策とツール

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077960.html
2	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078819.html
3	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078907.html
4	http://rhn.redhat.com/errata/RHSA-2012-0451.html
5	http://rhn.redhat.com/errata/RHSA-2012-0531.html
6	http://rpm.org/gitweb?p=rpm.git%3Ba=commitdiff%3Bh=e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190
7	http://rpm.org/gitweb?p=rpm.git%3Ba=commitdiff%3Bh=f23998251992b8ae25faf5113c42fee2c49c7f29
8	http://rpm.org/wiki/Releases/4.9.1.3
9	http://secunia.com/advisories/48651	Vendor Advisory
10	http://secunia.com/advisories/48716	Vendor Advisory
11	http://secunia.com/advisories/49110	Vendor Advisory
12	http://www.mandriva.com/security/advisories?name=MDVSA-2012:056
13	http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
14	http://www.osvdb.org/81010
15	http://www.securityfocus.com/bid/52865
16	http://www.securitytracker.com/id?1026882
17	http://www.ubuntu.com/usn/USN-1695-1
18	https://bugzilla.redhat.com/show_bug.cgi?id=744858
19	https://exchange.xforce.ibmcloud.com/vulnerabilities/74582
20	https://hermes.opensuse.org/messages/14440932
21	https://hermes.opensuse.org/messages/14441362
22	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/077960.html
23	https://hermes.opensuse.org/messages/14441362
24	https://hermes.opensuse.org/messages/14440932
25	https://exchange.xforce.ibmcloud.com/vulnerabilities/74582
26	https://bugzilla.redhat.com/show_bug.cgi?id=744858
27	http://www.ubuntu.com/usn/USN-1695-1
28	http://www.securitytracker.com/id?1026882
29	http://www.securityfocus.com/bid/52865
30	http://www.osvdb.org/81010
31	http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
32	http://www.mandriva.com/security/advisories?name=MDVSA-2012:056
33	http://secunia.com/advisories/49110	Vendor Advisory
34	http://secunia.com/advisories/48716	Vendor Advisory
35	http://secunia.com/advisories/48651	Vendor Advisory
36	http://rpm.org/wiki/Releases/4.9.1.3
37	http://rpm.org/gitweb?p=rpm.git%3Ba=commitdiff%3Bh=f23998251992b8ae25faf5113c42fee2c49c7f29
38	http://rpm.org/gitweb?p=rpm.git%3Ba=commitdiff%3Bh=e4eab2bc6d07cfd33f740071de7ddbb2fe2f4190
39	http://rhn.redhat.com/errata/RHSA-2012-0531.html
40	http://rhn.redhat.com/errata/RHSA-2012-0451.html
41	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078907.html
42	http://lists.fedoraproject.org/pipermail/package-announce/2012-April/078819.html

共通脆弱性一覧

No	CWE	名前	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

構成1	以上	以下	より上	未満
cpe:2.3:a:rpm:rpm:2.3.5:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.1:::::::*
cpe:2.3:a:rpm:rpm:1.4.3:::::::*
cpe:2.3:a:rpm:rpm:3.0.1:::::::*
cpe:2.3:a:rpm:rpm:4.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.3.11:::::::*
cpe:2.3:a:rpm:rpm:4.8.0:::::::*
cpe:2.3:a:rpm:rpm:2.4.4:::::::*
cpe:2.3:a:rpm:rpm:2.3.8:::::::*
cpe:2.3:a:rpm:rpm:2.0.6:::::::*
cpe:2.3:a:rpm:rpm:1.4.4:::::::*
cpe:2.3:a:rpm:rpm:1.4.2\/a:::::::*
cpe:2.3:a:rpm:rpm:2.4.1:::::::*
cpe:2.3:a:rpm:rpm:2.4.9:::::::*
cpe:2.3:a:rpm:rpm:2.6.7:::::::*
cpe:2.3:a:rpm:rpm::::::::		4.9.1.2
cpe:2.3:a:rpm:rpm:1.4:::::::*
cpe:2.3:a:rpm:rpm:2.0.10:::::::*
cpe:2.3:a:rpm:rpm:2.4.5:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:alpha::::::
cpe:2.3:a:rpm:rpm:4.0.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.11:::::::*
cpe:2.3:a:rpm:rpm:4.0.4:::::::*
cpe:2.3:a:rpm:rpm:2.2.1:::::::*
cpe:2.3:a:rpm:rpm:2.0.1:::::::*
cpe:2.3:a:rpm:rpm:1.4.2:::::::*
cpe:2.3:a:rpm:rpm:3.0.3:::::::*
cpe:2.3:a:rpm:rpm:2.0.7:::::::*
cpe:2.3:a:rpm:rpm:4.0.2:::::::*
cpe:2.3:a:rpm:rpm:2.2.8:::::::*
cpe:2.3:a:rpm:rpm:3.0.2:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:::::::*
cpe:2.3:a:rpm:rpm:1.2:::::::*
cpe:2.3:a:rpm:rpm:4.0.:::::::*
cpe:2.3:a:rpm:rpm:2.1.1:::::::*
cpe:2.3:a:rpm:rpm:4.3.3:::::::*
cpe:2.3:a:rpm:rpm:2.5.5:::::::*
cpe:2.3:a:rpm:rpm:2.0.8:::::::*
cpe:2.3:a:rpm:rpm:4.8.1:::::::*
cpe:2.3:a:rpm:rpm:2.3:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.2:::::::*
cpe:2.3:a:rpm:rpm:2.4.8:::::::*
cpe:2.3:a:rpm:rpm:3.0.4:::::::*
cpe:2.3:a:rpm:rpm:2.5.6:::::::*
cpe:2.3:a:rpm:rpm:2.0:::::::*
cpe:2.3:a:rpm:rpm:2.0.2:::::::*
cpe:2.3:a:rpm:rpm:2.3.2:::::::*
cpe:2.3:a:rpm:rpm:2.4.3:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:::::::*
cpe:2.3:a:rpm:rpm:2.4.2:::::::*
cpe:2.3:a:rpm:rpm:1.4.5:::::::*
cpe:2.3:a:rpm:rpm:2.0.11:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:rc1::::::
cpe:2.3:a:rpm:rpm:3.0.5:::::::*
cpe:2.3:a:rpm:rpm:1.3:::::::*
cpe:2.3:a:rpm:rpm:4.7.2:::::::*
cpe:2.3:a:rpm:rpm:4.9.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.3:::::::*
cpe:2.3:a:rpm:rpm:2.2:::::::*
cpe:2.3:a:rpm:rpm:2.1.2:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc2::::::
cpe:2.3:a:rpm:rpm:2.3.9:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc1::::::
cpe:2.3:a:rpm:rpm:2.2.4:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc3::::::
cpe:2.3:a:rpm:rpm:2.2.9:::::::*
cpe:2.3:a:rpm:rpm:2.5.3:::::::*
cpe:2.3:a:rpm:rpm:2.2.6:::::::*
cpe:2.3:a:rpm:rpm:4.7.0:::::::*
cpe:2.3:a:rpm:rpm:2.3.6:::::::*
cpe:2.3:a:rpm:rpm:2.5:::::::*
cpe:2.3:a:rpm:rpm:2.2.3.10:::::::*
cpe:2.3:a:rpm:rpm:4.9.1.1:::::::*
cpe:2.3:a:rpm:rpm:2.0.5:::::::*
cpe:2.3:a:rpm:rpm:1.4.1:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.3:::::::*
cpe:2.3:a:rpm:rpm:2.4.12:::::::*
cpe:2.3:a:rpm:rpm:2.5.4:::::::*
cpe:2.3:a:rpm:rpm:4.6.1:::::::*
cpe:2.3:a:rpm:rpm:1.4.7:::::::*
cpe:2.3:a:rpm:rpm:3.0:::::::*
cpe:2.3:a:rpm:rpm:1.4.6:::::::*
cpe:2.3:a:rpm:rpm:2.5.2:::::::*
cpe:2.3:a:rpm:rpm:2.4.11:::::::*
cpe:2.3:a:rpm:rpm:2.0.9:::::::*
cpe:2.3:a:rpm:rpm:2.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.10:::::::*
cpe:2.3:a:rpm:rpm:2.3.3:::::::*
cpe:2.3:a:rpm:rpm:2.3.7:::::::*
cpe:2.3:a:rpm:rpm:2.3.4:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc4::::::
cpe:2.3:a:rpm:rpm:4.7.1:::::::*
cpe:2.3:a:rpm:rpm:2.0.4:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:beta1::::::
cpe:2.3:a:rpm:rpm:1.3.1:::::::*
cpe:2.3:a:rpm:rpm:3.0.6:::::::*
cpe:2.3:a:rpm:rpm:2.0.3:::::::*
cpe:2.3:a:rpm:rpm:2.3.1:::::::*
cpe:2.3:a:rpm:rpm:4.0.3:::::::*
cpe:2.3:a:rpm:rpm:2.4.6:::::::*
cpe:2.3:a:rpm:rpm:4.5.90:::::::*
cpe:2.3:a:rpm:rpm:2.5.1:::::::*
cpe:2.3:a:rpm:rpm:2.2.5:::::::*
cpe:2.3:a:rpm:rpm:2.2.2:::::::*
cpe:2.3:a:rpm:rpm:2.2.7:::::::*