RPM Package Manager (RPM) improper verification of signed RPM packages
| rpm-improper-sig-verification (10011) |  Medium Risk |
Description:
RPM Package Manager (RPM) fails to properly verify the authenticity of signed RPM packages in certain situations. This could allow a remote attacker to cause a victim to download malicious packages, which would appear as though they originated from a trusted source.
Consequences:
Bypass Security
Remedy:
Upgrade to the latest production release of RPM (4.1 or later), when it becomes available from the RPM Web site. See References.
References:
- Full-Disclosure Mailing List, Thu Aug 29 2002 - 06:18:11 CDT: RPM verification.
- RPM Web site: RPM Package Manager.
- BID-5594: RPM Package Manager Signature Verification Insufficient User Feedback Weakness
- CVE-2002-2204: The default --checksig setting in RPM Package Manager 4.0.4 checks that a package's signature is valid without listing who signed it, which can allow remote attackers to make it appear that a malicious package comes from a trusted source.
Platforms Affected:
- RPM Project RPM 4.0.4
Reported:
Aug 29, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net