RPM 4.16.1.3 Release Notes

Download information

• Source: rpm-4.16.1.3.tar.bz2
• SHA256SUM: 513dc7f972b6e7ccfc9fc7f9c01d5310cc56ee853892e4314fa2cad71478e21d

Summary of changes from RPM 4.16.1.2

Security

• Fix arbitrary data copied from signature header past signature checking (CVE-2021-3421)
• Fix signature check bypass with corrupted package (CVE-2021-20271)
• Fix missing bounds checks in headerImport() and headerCheck() (CVE-2021-20266)
• Fix missing sanity checks on header entry count and region data overlap
• Fix access past end of header if the last entry is string type
• Fix unsafe headerCopyLoad() still used in codebase

General bugfixes and enhancements

• Fix regression causing access to already open sqlite database handle
• Fix bdb_ro failing to open database with missing secondary indexes (#1576)
• Fix intermittent compression failures in threaded XZ operation
• Fix a tiny memory leak on malformed package NVR retrofit

Internal improvements

• Optimize signature header merge operation

Build process

• Try to ensure defined wraparound for signed integers and pointer arithmetic
• Test for libtool versioning sanity