RPM 4.16.1.3 Release Notes

Download information

  • Source: rpm-4.16.1.3.tar.bz2
  • SHA256SUM: 513dc7f972b6e7ccfc9fc7f9c01d5310cc56ee853892e4314fa2cad71478e21d

Summary of changes from RPM 4.16.1.2

Security

  • Fix arbitrary data copied from signature header past signature checking (CVE-2021-3421)
  • Fix signature check bypass with corrupted package (CVE-2021-20271)
  • Fix missing bounds checks in headerImport() and headerCheck() (CVE-2021-20266)
  • Fix missing sanity checks on header entry count and region data overlap
  • Fix access past end of header if the last entry is string type
  • Fix unsafe headerCopyLoad() still used in codebase

General bugfixes and enhancements

  • Fix regression causing access to already open sqlite database handle
  • Fix bdb_ro failing to open database with missing secondary indexes (#1576)
  • Fix intermittent compression failures in threaded XZ operation
  • Fix a tiny memory leak on malformed package NVR retrofit

Internal improvements

  • Optimize signature header merge operation

Build process

  • Try to ensure defined wraparound for signed integers and pointer arithmetic
  • Test for libtool versioning sanity