CVE-2021-20271
Published: 26 March 2021
A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.
Notes
| Author | Note |
|---|---|
| seth-arnold | Only debugedit and librpmio9 binary packages are in main, and triaged with view to how they are used in the build process as described in https://bugs.launchpad.net/ubuntu/+source/rpm/+bug/1913871 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
rpm Launchpad, Ubuntu, Debian |
bionic |
Released
(4.14.1+dfsg1-2ubuntu0.1~esm1)
Available with Ubuntu Pro |
| focal |
Released
(4.14.2.1+dfsg1-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
| groovy |
Ignored
(end of life)
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Not vulnerable
(4.17.0+dfsg1-1)
|
|
| kinetic |
Not vulnerable
(4.17.0+dfsg1-1)
|
|
| lunar |
Not vulnerable
(4.17.0+dfsg1-1)
|
|
| mantic |
Not vulnerable
(4.17.0+dfsg1-1)
|
|
| noble |
Not vulnerable
(4.17.0+dfsg1-1)
|
|
| trusty |
Needed
|
|
| upstream |
Released
(4.17.0+dfsg1-1)
|
|
| xenial |
Released
(4.12.0.1+dfsg1-3ubuntu0.1~esm1)
Available with Ubuntu Pro |
|
| Binaries built from this source package are in Universe and so are supported by the community. | ||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.0 |
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |