RPM 4.15.1.1 Release Notes

Download information

• Source: rpm-4.15.1.1.tar.bz2
• SHA256SUM: 346a2c33a1261918bee84dccc262d3a84a378da8400ff97c118a4a2861fc3b2b

Summary of changes from RPM 4.15.1

Security

• Fix arbitrary data copied from signature header past signature checking (CVE-2021-3421)
• Fix signature check bypass with corrupted package (CVE-2021-20271)
• Fix missing bounds checks in headerImport() and headerCheck() (CVE-2021-20266)
• Fix missing sanity checks on header entry count and region data overlap
• Fix access past end of header if the last entry is string type
• Fix unsafe headerCopyLoad() still used in codebase

General bugfixes and enhancements

• Fix intermittent compression failures in threaded XZ operation
• Fix a tiny memory leak on malformed package NVR retrofit
• Fix file descriptor leak on package build (#1313, RhBug:1840728)
• Fix signature header size limit low by factor of 1024

Internal improvements

• Optimize signature header merge operation

Build process

• Try to ensure defined wraparound for signed integers and pointer arithmetic
• Test for libtool versioning sanity
• Backport some CI changes to fix build