CVE-2021-20271
A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.
| Software | From | Fixed in |
|---|---|---|
| rpm / rpm | 4.16.0-beta2 | 4.16.0-beta2.x |
| rpm / rpm | 4.16.0-beta3 | 4.16.0-beta3.x |
| rpm / rpm | 4.16.0-rc1 | 4.16.0-rc1.x |
| rpm / rpm | 4.16.0-alpha | 4.16.0-alpha.x |
| rpm / rpm | 4.15.0-beta1 | 4.15.0-beta1.x |
| rpm / rpm | 4.15.0-rc1 | 4.15.0-rc1.x |
| rpm / rpm | 4.15.0-alpha | 4.15.0-alpha.x |
| rpm / rpm | 4.15.0 | 4.15.1.3 |
| rpm / rpm | 4.16.0 | 4.16.1.3 |
| redhat / enterprise_linux | 8.0 | 8.0.x |
| fedoraproject / fedora | 32 | 32.x |
| fedoraproject / fedora | 33 | 33.x |
| fedoraproject / fedora | 34 | 34.x |
| starwindsoftware / starwind_virtual_san | 8-build14398 | 8-build14398.x |
- https://bugzilla.redhat.com/show_bug.cgi?id=1934125
- https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMGXO3W6DHPO62GJ4VVF5DEUX5DRUR5K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHRPNBCRPDJHHQE3MBPSZK4H7X2IM7AC/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILPBTPSBRYL4POBI3F4YUSVPSOQNJBY/
- https://security.gentoo.org/glsa/202107-43
- https://www.starwindsoftware.com/security/sw-20220805-0002/
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime