CVE-2021-3445

NameCVE-2021-3445
DescriptionA flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs986802

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libdnf (PTS)bullseye0.55.2-6fixed
bookworm0.69.0-2fixed
trixie, sid0.74.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libdnfsource(unstable)0.55.2-6986802

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1932079
https://github.com/rpm-software-management/libdnf/commit/930f2582f91077b3f338b84cf9567559d52713de
Search for package or bug name: Reporting problems