librpmbuild9-4.16.1.3-3.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11305 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z librpmbuild9-4.16.1.3-3.2 on GA media These are all security issues fixed in the librpmbuild9-4.16.1.3-3.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11305 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11305 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-7500/ SUSE CVE CVE-2017-7500 page https://www.suse.com/security/cve/CVE-2021-3421/ SUSE CVE CVE-2021-3421 page openSUSE Tumbleweed librpmbuild9-4.16.1.3-3.2 rpm-4.16.1.3-3.2 rpm-32bit-4.16.1.3-3.2 rpm-build-4.16.1.3-3.2 rpm-build-perl-4.16.1.3-3.2 rpm-build-python-4.16.1.3-3.2 rpm-devel-4.16.1.3-3.2 librpmbuild9-4.16.1.3-3.2 as a component of openSUSE Tumbleweed rpm-4.16.1.3-3.2 as a component of openSUSE Tumbleweed rpm-32bit-4.16.1.3-3.2 as a component of openSUSE Tumbleweed rpm-build-4.16.1.3-3.2 as a component of openSUSE Tumbleweed rpm-build-perl-4.16.1.3-3.2 as a component of openSUSE Tumbleweed rpm-build-python-4.16.1.3-3.2 as a component of openSUSE Tumbleweed rpm-devel-4.16.1.3-3.2 as a component of openSUSE Tumbleweed It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege. CVE-2017-7500 openSUSE Tumbleweed:librpmbuild9-4.16.1.3-3.2 openSUSE Tumbleweed:rpm-32bit-4.16.1.3-3.2 openSUSE Tumbleweed:rpm-4.16.1.3-3.2 openSUSE Tumbleweed:rpm-build-4.16.1.3-3.2 openSUSE Tumbleweed:rpm-build-perl-4.16.1.3-3.2 openSUSE Tumbleweed:rpm-build-python-4.16.1.3-3.2 openSUSE Tumbleweed:rpm-devel-4.16.1.3-3.2 moderate 6.8 AV:L/AC:L/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-7500.html CVE-2017-7500 https://bugzilla.suse.com/1126909 SUSE Bug 1126909 https://bugzilla.suse.com/1135195 SUSE Bug 1135195 https://bugzilla.suse.com/1157882 SUSE Bug 1157882 https://bugzilla.suse.com/1157883 SUSE Bug 1157883 https://bugzilla.suse.com/943457 SUSE Bug 943457 https://bugzilla.suse.com/964063 SUSE Bug 964063 A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha. CVE-2021-3421 openSUSE Tumbleweed:librpmbuild9-4.16.1.3-3.2 openSUSE Tumbleweed:rpm-32bit-4.16.1.3-3.2 openSUSE Tumbleweed:rpm-4.16.1.3-3.2 openSUSE Tumbleweed:rpm-build-4.16.1.3-3.2 openSUSE Tumbleweed:rpm-build-perl-4.16.1.3-3.2 openSUSE Tumbleweed:rpm-build-python-4.16.1.3-3.2 openSUSE Tumbleweed:rpm-devel-4.16.1.3-3.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-3421.html CVE-2021-3421 https://bugzilla.suse.com/1183543 SUSE Bug 1183543