Vulnerabilities > CVE-2006-5466

047910
CVSS 5.4 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
high complexity
rpm
ubuntu
nessus

Summary

Heap-based buffer overflow in the showQueryPackage function in librpm in RPM Package Manager 4.4.8, when the LANG environment variable is set to ru_RU.UTF-8, might allow user-assisted attackers to execute arbitrary code via crafted RPM packages. Successful exploitation may allow the execution of arbitrary code, but requires that certain locales are set (e.g. ru_RU.UTF-8). There are patches available for each affected Ubuntu product.

Vulnerable Configurations

Part Description Count
Application
Rpm
1
OS
Ubuntu
2

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-200.NASL
    descriptionA heap-based buffer overflow was discovered in librpm when the LANG or LC_ALL environment variable is set to ru_RU.UTF-8 (and possibly other locales), which could allow for user-assisted attackers to execute arbitrary code via crafted RPM packages. Updated packages have been patched to correct this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id24585
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24585
    titleMandrake Linux Security Advisory : rpm (MDKSA-2006:200)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandrake Linux Security Advisory MDKSA-2006:200. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(24585);
      script_version ("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:48");
    
      script_cve_id("CVE-2006-5466");
      script_xref(name:"MDKSA", value:"2006:200");
    
      script_name(english:"Mandrake Linux Security Advisory : rpm (MDKSA-2006:200)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandrake Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A heap-based buffer overflow was discovered in librpm when the LANG or
    LC_ALL environment variable is set to ru_RU.UTF-8 (and possibly other
    locales), which could allow for user-assisted attackers to execute
    arbitrary code via crafted RPM packages.
    
    Updated packages have been patched to correct this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=212833"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64popt0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64popt0-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64rpm4.4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64rpm4.4-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpopt0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpopt0-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:librpm4.4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:librpm4.4-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:perl-RPM");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:popt-data");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:python-rpm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rpm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:rpm-build");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2007");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/18");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64popt0-1.10.2-4.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64popt0-devel-1.10.2-4.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64rpm4.4-4.4.2-4.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64rpm4.4-devel-4.4.2-4.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libpopt0-1.10.2-4.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libpopt0-devel-1.10.2-4.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"librpm4.4-4.4.2-4.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"librpm4.4-devel-4.4.2-4.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"popt-data-1.10.2-4.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"python-rpm-4.4.2-4.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"rpm-4.4.2-4.1.20060mdk", yank:"mdk")) flag++;
    if (rpm_check(release:"MDK2006.0", reference:"rpm-build-4.4.2-4.1.20060mdk", yank:"mdk")) flag++;
    
    if (rpm_check(release:"MDK2007.0", cpu:"x86_64", reference:"lib64popt0-1.10.6-10.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"x86_64", reference:"lib64popt0-devel-1.10.6-10.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"x86_64", reference:"lib64rpm4.4-4.4.6-10.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"x86_64", reference:"lib64rpm4.4-devel-4.4.6-10.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"libpopt0-1.10.6-10.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"libpopt0-devel-1.10.6-10.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"librpm4.4-4.4.6-10.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", cpu:"i386", reference:"librpm4.4-devel-4.4.6-10.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"perl-RPM-0.66-16.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"popt-data-1.10.6-10.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"python-rpm-4.4.6-10.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"rpm-4.4.6-10.1mdv2007.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2007.0", reference:"rpm-build-4.4.6-10.1mdv2007.0", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-378-1.NASL
    descriptionAn error was found in the RPM library
    last seen2020-06-01
    modified2020-06-02
    plugin id27960
    published2007-11-10
    reporterUbuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/27960
    titleUbuntu 6.06 LTS / 6.10 : rpm vulnerability (USN-378-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-378-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(27960);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:33:01");
    
      script_cve_id("CVE-2006-5466");
      script_xref(name:"USN", value:"378-1");
    
      script_name(english:"Ubuntu 6.06 LTS / 6.10 : rpm vulnerability (USN-378-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An error was found in the RPM library's handling of query reports. In
    some locales, certain RPM packages would cause the library to crash.
    If a user was tricked into querying a specially crafted RPM package,
    the flaw could be exploited to execute arbitrary code with the user's
    privileges.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/378-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:librpm-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:librpm4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:lsb-rpm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-rpm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python2.4-rpm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:rpm");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/11/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(6\.06|6\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 6.06 / 6.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"6.06", pkgname:"librpm-dev", pkgver:"4.4.1-5ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"librpm4", pkgver:"4.4.1-5ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"lsb-rpm", pkgver:"4.4.1-5ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"python2.4-rpm", pkgver:"4.4.1-5ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"6.06", pkgname:"rpm", pkgver:"4.4.1-5ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"librpm-dev", pkgver:"4.4.1-9.1ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"librpm4", pkgver:"4.4.1-9.1ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"lsb-rpm", pkgver:"4.4.1-9.1ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"python-rpm", pkgver:"4.4.1-9.1ubuntu0.1")) flag++;
    if (ubuntu_check(osver:"6.10", pkgname:"rpm", pkgver:"4.4.1-9.1ubuntu0.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "librpm-dev / librpm4 / lsb-rpm / python-rpm / python2.4-rpm / rpm");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200611-08.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200611-08 (RPM: Buffer overflow) Vladimir Mosgalin has reported that when processing certain packages, RPM incorrectly allocates memory for the packages, possibly causing a heap-based buffer overflow. Impact : An attacker could entice a user to open a specially crafted RPM package and execute code with the privileges of that user if certain locales are set. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id23673
    published2006-11-20
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/23673
    titleGLSA-200611-08 : RPM: Buffer overflow

Statements

contributorJoshua Bressers
lastmodified2007-03-14
organizationRed Hat
statementRed Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=213515 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.