Vulnerability Details : CVE-2010-2059
lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file.
Exploit prediction scoring system (EPSS) score for CVE-2010-2059
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 8 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-2059
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST |
CWE ids for CVE-2010-2059
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-2059
-
http://www.openwall.com/lists/oss-security/2010/06/02/2
oss-security - CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775)
-
http://lists.vmware.com/pipermail/security-announce/2011/000126.html
[Security-announce] VMSA-2011-0004 VMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm
-
http://www.openwall.com/lists/oss-security/2010/06/04/1
oss-security - Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775)
-
https://bugzilla.redhat.com/show_bug.cgi?id=598775
598775 – (CVE-2010-2059) CVE-2010-2059 rpm: fails to drop SUID/SGID bits on package upgrade
-
https://bugzilla.redhat.com/show_bug.cgi?id=125517
125517 – CVE-2005-4889 rpm: Updates leave hardlinked copies untouched.
-
http://distrib-coffee.ipsl.jussieu.fr/pub/mirrors/rpm/files/rpm/rpm-4.4/rpm-4.4.3.tar.gz
403 ForbiddenPatch
-
http://rpm.org/gitweb?p=rpm.git%3Ba=commit%3Bh=ca2d6b2b484f1501eafdde02e1688409340d2383
Page not found · GitHub Pages
-
http://www.securityfocus.com/archive/1/516909/100/0/threaded
SecurityFocus
-
http://www.openwall.com/lists/oss-security/2010/06/02/3
oss-security - Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775)
-
http://marc.info/?l=oss-security&m=127559059928131&w=2
'Re: [oss-security] CVE Request -- rpm -- Fails to remove the' - MARC
-
http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:017
-
http://www.vupen.com/english/advisories/2011/0606
Webmail | OVH- OVH
-
http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2010:014
-
http://www.redhat.com/support/errata/RHSA-2010-0679.html
Support
-
http://www.mandriva.com/security/advisories?name=MDVSA-2010:180
mandriva.com
-
http://www.openwall.com/lists/oss-security/2010/06/03/5
oss-security - Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775)
-
http://www.vmware.com/security/advisories/VMSA-2011-0004.html
VMSA-2011-0004.3
Products affected by CVE-2010-2059
- cpe:2.3:a:rpm:rpm:*:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.2.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:1.4.2\/a:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2..4.10:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.5:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.0.:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:1.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.2.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:3.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:rpm:rpm:4.7.0:*:*:*:*:*:*:*