RPM Release Notes

Download information

  • Source: rpm-
  • SHA256SUM: 346a2c33a1261918bee84dccc262d3a84a378da8400ff97c118a4a2861fc3b2b

Summary of changes from RPM 4.15.1


  • Fix arbitrary data copied from signature header past signature checking (CVE-2021-3421)
  • Fix signature check bypass with corrupted package (CVE-2021-20271)
  • Fix missing bounds checks in headerImport() and headerCheck() (CVE-2021-20266)
  • Fix missing sanity checks on header entry count and region data overlap
  • Fix access past end of header if the last entry is string type
  • Fix unsafe headerCopyLoad() still used in codebase

General bugfixes and enhancements

  • Fix intermittent compression failures in threaded XZ operation
  • Fix a tiny memory leak on malformed package NVR retrofit
  • Fix file descriptor leak on package build (#1313, RhBug:1840728)
  • Fix signature header size limit low by factor of 1024

Internal improvements

  • Optimize signature header merge operation

Build process

  • Try to ensure defined wraparound for signed integers and pointer arithmetic
  • Test for libtool versioning sanity
  • Backport some CI changes to fix build