漏洞描述
RPM软件包管理器(RPM)是一个命令行驱动的软件包管理系统,用于安装、卸载、验证、查询和升级计算机软件包。
RPM在安装进程中存在竞争条件漏洞,攻击者可利用此漏洞在受影响应用上下文中执行任意代码。
解决方法
以下是各Linux/Unix发行版系统针对此漏洞发布的安全公告,可以参考对应系统的安全公告修复该漏洞:
Ubuntu
----------------
USN-2479-1: [USN-2479-1] RPM vulnerabilities
链接: https://www.ubuntu.com/usn/usn-2479-1
Red Hat Enterprise Linux
----------------
链接: https://access.redhat.com/security/cve/CVE-2013-6435
CentOS
----------------
CESA-2014:1974: CESA-2014:1974 Important CentOS 6 rpm Security Update
链接: https://lists.centos.org/pipermail/centos-announce/2014-December/020818.html
CESA-2014:1974: CESA-2014:1974 Important CentOS 5 rpm Security Update
链接: https://lists.centos.org/pipermail/centos-announce/2014-December/020819.html
CESA-2014:1976: CESA-2014:1976 Important CentOS 7 rpm Security Update
链接: https://lists.centos.org/pipermail/centos-announce/2014-December/020821.html
Gentoo
----------------
GLSA-201811-22: RPM: Multiple vulnerabilities
链接: https://security.gentoo.org/glsa/201811-22
openSUSE
----------------
openSUSE-SU-2014:1716-1: openSUSE Security Update: Security update for python3-rpm, rpm, rpm-python
链接: https://lists.opensuse.org/opensuse-updates/2014-12/msg00100.html
SUSE
----------------
链接: https://www.suse.com/security/cve/CVE-2013-6435/
Fedora
----------------
FEDORA-2014-16890: Fedora 21 Update: rpm-4.12.0.1-4.fc21
链接: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/146308.html
FEDORA-2014-16838: Fedora 20 Update: rpm-4.11.3-2.fc20
链接: https://lists.fedoraproject.org/pipermail/package-announce/2014-December/147109.html
Oracle Linux
----------------
链接: https://linux.oracle.com/cve/CVE-2013-6435.html
Debian
----------------
DSA-3129: DSA-3129-1 rpm -- security update
链接: https://www.debian.org/security/2015/dsa-3129
RPM远程代码执行漏洞(CVE-2013-6435)
原文:https://www.cnblogs.com/mrhonest/p/10911278.html
