{"id":"CVE-2017-7501","details":"It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.","modified":"2026-03-20T03:19:07.221317Z","published":"2017-11-22T22:29:00.270Z","related":["MGASA-2017-0394","SUSE-SU-2018:3286-1","SUSE-SU-2018:3884-1","SUSE-SU-2018:3884-2"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201811-22"},{"type":"FIX","url":"https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rpm-software-management/rpm","events":[{"introduced":"0"},{"fixed":"c14fa5e05801481d9b4bbc8bedc6a02527713f12"},{"fixed":"404ef011c300207cdb1e531670384564aae04bdc"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.13.0.2"}]}}],"versions":["rpm-4.11.0-alpha","rpm-4.12.0-alpha","rpm-4.13.0-alpha","rpm-4.13.0-rc1","rpm-4.13.0-rc2","rpm-4.13.0-release","rpm-4.13.0.1-release","rpm-4.4-release","rpm-4.4.1-release","rpm-4.4.2-release","rpm-4.4.2.1-rc1","rpm-4.4.2.1-rc2","rpm-4.8.0-beta1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-7501.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"4.13.0.3"}]}],"vanir_signatures":[{"id":"CVE-2017-7501-877c3c7d","signature_type":"Function","deprecated":false,"target":{"function":"fsmMkfile","file":"lib/fsm.c"},"digest":{"length":709,"function_hash":"219412099653592758534984861251244086760"},"source":"https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc","signature_version":"v1"},{"id":"CVE-2017-7501-8ba28e5e","signature_type":"Function","deprecated":false,"target":{"function":"expandRegular","file":"lib/fsm.c"},"digest":{"length":453,"function_hash":"235890607565210547971153495450584611139"},"source":"https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc","signature_version":"v1"},{"id":"CVE-2017-7501-d085377d","signature_type":"Function","deprecated":false,"target":{"function":"rpmPackageFilesInstall","file":"lib/fsm.c"},"digest":{"length":3231,"function_hash":"251019406392800688581139521858527161792"},"source":"https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc","signature_version":"v1"},{"id":"CVE-2017-7501-e0955c97","signature_type":"Line","deprecated":false,"target":{"file":"lib/fsm.c"},"digest":{"threshold":0.9,"line_hashes":["144376135701053748812605237488036081449","25428771601547806734303775674084354233","271352173659907402745120384815022514709","104794687092458268605734081123103534822","307450884884098676009586619517698205102","63897467800881485416784004900383864668","297234319454878491192390807548114109359","220510232581077913716693910525538938251","317158261814924714448336374437296090185","234525942236946796290087818026749963995","3478167517348178953598863853572660803","265952864534696095245447318455621002924","228759896895832869303370999116506398117","319202708398058262984572471973108275738","206534958941755285883795960989672813241","132265430915805725789224965145563545929","334006586746271393922305274983548605274","330468114636358543994562472419442221872","323606649131829387621601194132249202428","243456054255639250598532073180348662532","178298518237348035648923208230063467617","339520469317884756584824955627241296269","274900824700914748171417536367975980823","213161985280052891919047307010044412497"]},"source":"https://github.com/rpm-software-management/rpm/commit/404ef011c300207cdb1e531670384564aae04bdc","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}