CVE-2010-2197

Public Date:
2010-06-08
Bugzilla:
603244: CVE-2010-2197 rpm: rpmbuild does not properly parse syntax of spec files

The MITRE CVE dictionary describes this issue as:

rpmbuild in RPM 4.8.0 and earlier does not properly parse the syntax of spec files, which allows user-assisted remote attackers to remove home directories via vectors involving a ;~ (semicolon tilde) sequence in a Name tag.

Find out more about CVE-2010-2197 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

We do not consider this to be a security issue as it does not introduce any additional risk in using untrusted RPM .spec files. RPM .spec files can do a lot of things, regardless of how rpmbuild parses the syntax, because certain sections of the .spec file (%prep, %build, etc.) are treated as shell scripts. Because of the ability to easily include malicious commands anywhere, an untrusted .spec file should be carefully examined prior to building, the same as if you were to download and execute an untrusted shell script.

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.