CVE-2013-6435

Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory.

CVSS v2.0 7.6 HIGH

7.6^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:H/Au:N/C:C/I:C/A:C

Exploitability : 4.9 / Impact : 10.0

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://advisories.mageia.org/MGASA-2014-0529.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://rhn.redhat.com/errata/RHSA-2014-1974.html
http://rhn.redhat.com/errata/RHSA-2014-1975.html
http://rhn.redhat.com/errata/RHSA-2014-1976.html
http://www.debian.org/security/2015/dsa-3129
http://www.mandriva.com/security/advisories?name=MDVSA-2014:251
http://www.mandriva.com/security/advisories?name=MDVSA-2015:056
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
http://www.securityfocus.com/bid/71558
https://bugzilla.redhat.com/show_bug.cgi?id=1039811
https://security.gentoo.org/glsa/201811-22
https://securityblog.redhat.com/2014/12/10/analysis-of-the-cve-2013-6435-flaw-in-rpm/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:rpm:rpm::::::::
	cpe:2.3:a:rpm:rpm:1.2:::::::*
	cpe:2.3:a:rpm:rpm:1.3:::::::*
	cpe:2.3:a:rpm:rpm:1.3.1:::::::*
	cpe:2.3:a:rpm:rpm:1.4:::::::*
	cpe:2.3:a:rpm:rpm:1.4.1:::::::*
	cpe:2.3:a:rpm:rpm:1.4.2:::::::*
	cpe:2.3:a:rpm:rpm:1.4.2\/a:::::::*
	cpe:2.3:a:rpm:rpm:1.4.3:::::::*
	cpe:2.3:a:rpm:rpm:1.4.4:::::::*
	cpe:2.3:a:rpm:rpm:1.4.5:::::::*
	cpe:2.3:a:rpm:rpm:1.4.6:::::::*
	cpe:2.3:a:rpm:rpm:1.4.7:::::::*
	cpe:2.3:a:rpm:rpm:2.0:::::::*
	cpe:2.3:a:rpm:rpm:2.0.1:::::::*
	cpe:2.3:a:rpm:rpm:2.0.2:::::::*
	cpe:2.3:a:rpm:rpm:2.0.3:::::::*
	cpe:2.3:a:rpm:rpm:2.0.4:::::::*
	cpe:2.3:a:rpm:rpm:2.0.5:::::::*
	cpe:2.3:a:rpm:rpm:2.0.6:::::::*
	cpe:2.3:a:rpm:rpm:2.0.7:::::::*
	cpe:2.3:a:rpm:rpm:2.0.8:::::::*
	cpe:2.3:a:rpm:rpm:2.0.9:::::::*
	cpe:2.3:a:rpm:rpm:2.0.10:::::::*
	cpe:2.3:a:rpm:rpm:2.0.11:::::::*
	cpe:2.3:a:rpm:rpm:2.1:::::::*
	cpe:2.3:a:rpm:rpm:2.1.1:::::::*
	cpe:2.3:a:rpm:rpm:2.1.2:::::::*
	cpe:2.3:a:rpm:rpm:2.2:::::::*
	cpe:2.3:a:rpm:rpm:2.2.1:::::::*
	cpe:2.3:a:rpm:rpm:2.2.2:::::::*
	cpe:2.3:a:rpm:rpm:2.2.3:::::::*
	cpe:2.3:a:rpm:rpm:2.2.3.10:::::::*
	cpe:2.3:a:rpm:rpm:2.2.3.11:::::::*
	cpe:2.3:a:rpm:rpm:2.2.4:::::::*
	cpe:2.3:a:rpm:rpm:2.2.5:::::::*
	cpe:2.3:a:rpm:rpm:2.2.6:::::::*
	cpe:2.3:a:rpm:rpm:2.2.7:::::::*
	cpe:2.3:a:rpm:rpm:2.2.8:::::::*
	cpe:2.3:a:rpm:rpm:2.2.9:::::::*
	cpe:2.3:a:rpm:rpm:2.2.10:::::::*
	cpe:2.3:a:rpm:rpm:2.2.11:::::::*
	cpe:2.3:a:rpm:rpm:2.3:::::::*
	cpe:2.3:a:rpm:rpm:2.3.1:::::::*
	cpe:2.3:a:rpm:rpm:2.3.2:::::::*
	cpe:2.3:a:rpm:rpm:2.3.3:::::::*
	cpe:2.3:a:rpm:rpm:2.3.4:::::::*
	cpe:2.3:a:rpm:rpm:2.3.5:::::::*
	cpe:2.3:a:rpm:rpm:2.3.6:::::::*
	cpe:2.3:a:rpm:rpm:2.3.7:::::::*
	cpe:2.3:a:rpm:rpm:2.3.8:::::::*
	cpe:2.3:a:rpm:rpm:2.3.9:::::::*
	cpe:2.3:a:rpm:rpm:2.4.1:::::::*
	cpe:2.3:a:rpm:rpm:2.4.2:::::::*
	cpe:2.3:a:rpm:rpm:2.4.3:::::::*
	cpe:2.3:a:rpm:rpm:2.4.4:::::::*
	cpe:2.3:a:rpm:rpm:2.4.5:::::::*
	cpe:2.3:a:rpm:rpm:2.4.6:::::::*
	cpe:2.3:a:rpm:rpm:2.4.8:::::::*
	cpe:2.3:a:rpm:rpm:2.4.9:::::::*
	cpe:2.3:a:rpm:rpm:2.4.11:::::::*
	cpe:2.3:a:rpm:rpm:2.4.12:::::::*
	cpe:2.3:a:rpm:rpm:2.5:::::::*
	cpe:2.3:a:rpm:rpm:2.5.1:::::::*
cpe:2.3:a:rpm:rpm:2.5.2:::::::*
cpe:2.3:a:rpm:rpm:2.5.3:::::::*
cpe:2.3:a:rpm:rpm:2.5.4:::::::*
cpe:2.3:a:rpm:rpm:2.5.5:::::::*
cpe:2.3:a:rpm:rpm:2.5.6:::::::*
cpe:2.3:a:rpm:rpm:2.6.7:::::::*
cpe:2.3:a:rpm:rpm:3.0:::::::*
cpe:2.3:a:rpm:rpm:3.0.1:::::::*
cpe:2.3:a:rpm:rpm:3.0.2:::::::*
cpe:2.3:a:rpm:rpm:3.0.3:::::::*
cpe:2.3:a:rpm:rpm:3.0.4:::::::*
cpe:2.3:a:rpm:rpm:3.0.5:::::::*
cpe:2.3:a:rpm:rpm:3.0.6:::::::*
cpe:2.3:a:rpm:rpm:4.0.:::::::*
cpe:2.3:a:rpm:rpm:4.0.1:::::::*
cpe:2.3:a:rpm:rpm:4.0.2:::::::*
cpe:2.3:a:rpm:rpm:4.0.3:::::::*
cpe:2.3:a:rpm:rpm:4.0.4:::::::*
cpe:2.3:a:rpm:rpm:4.1:::::::*
cpe:2.3:a:rpm:rpm:4.3.3:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.1:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.2:::::::*
cpe:2.3:a:rpm:rpm:4.4.2.3:::::::*
cpe:2.3:a:rpm:rpm:4.5.90:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:::::::*
cpe:2.3:a:rpm:rpm:4.6.0:rc1::::::
cpe:2.3:a:rpm:rpm:4.6.0:rc2::::::
cpe:2.3:a:rpm:rpm:4.6.0:rc3::::::
cpe:2.3:a:rpm:rpm:4.6.0:rc4::::::
cpe:2.3:a:rpm:rpm:4.6.1:::::::*
cpe:2.3:a:rpm:rpm:4.7.0:::::::*
cpe:2.3:a:rpm:rpm:4.7.1:::::::*
cpe:2.3:a:rpm:rpm:4.7.2:::::::*
cpe:2.3:a:rpm:rpm:4.8.0:::::::*
cpe:2.3:a:rpm:rpm:4.8.1:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:::::::*
cpe:2.3:a:rpm:rpm:4.9.0:alpha::::::
cpe:2.3:a:rpm:rpm:4.9.0:beta1::::::
cpe:2.3:a:rpm:rpm:4.9.0:rc1::::::
cpe:2.3:a:rpm:rpm:4.9.1:::::::*
cpe:2.3:a:rpm:rpm:4.9.1.1:::::::*
cpe:2.3:a:rpm:rpm:4.9.1.2:::::::*
cpe:2.3:a:rpm:rpm:4.10.0:::::::*
cpe:2.3:a:rpm:rpm:4.10.1:::::::*
cpe:2.3:a:rpm:rpm:4.10.2:::::::*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

History

13 Feb 2023, 00:29

Type	Values Removed	Values Added
References	~~{'url': 'https://access.redhat.com/errata/RHSA-2014:1975', 'name': 'https://access.redhat.com/errata/RHSA-2014:1975', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://access.redhat.com/errata/RHSA-2014:1974', 'name': 'https://access.redhat.com/errata/RHSA-2014:1974', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://access.redhat.com/errata/RHSA-2014:1976', 'name': 'https://access.redhat.com/errata/RHSA-2014:1976', 'tags': [], 'refsource': 'MISC'}~~ ~~{'url': 'https://access.redhat.com/security/cve/CVE-2013-6435', 'name': 'https://access.redhat.com/security/cve/CVE-2013-6435', 'tags': [], 'refsource': 'MISC'}~~
Summary	It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation.	Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory.

02 Feb 2023, 20:15

Type	Values Removed	Values Added
Summary	Race condition in RPM 4.11.1 and earlier allows remote attackers to execute arbitrary code via a crafted RPM file whose installation extracts the contents to temporary files before validating the signature, as demonstrated by installing a file in the /etc/cron.d directory.	It was found that RPM wrote file contents to the target installation directory under a temporary name, and verified its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they would execute code chosen by the attacker during package installation.
References		(MISC) https://access.redhat.com/errata/RHSA-2014:1975 - (MISC) https://access.redhat.com/errata/RHSA-2014:1974 - (MISC) https://access.redhat.com/errata/RHSA-2014:1976 - (MISC) https://access.redhat.com/security/cve/CVE-2013-6435 -

Information

Published : 2014-12-16 18:59

Updated : 2023-12-10 11:31

NVD link : CVE-2013-6435

Mitre link : CVE-2013-6435

CVE.ORG link : CVE-2013-6435

JSON object : View

Products Affected

debian

debian_linux

rpm

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

7.6 /10