{"id":"CVE-2021-20271","details":"A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.","modified":"2026-04-16T00:08:02.343025702Z","published":"2021-03-26T17:15:13Z","related":["SUSE-SU-2021:2682-1","SUSE-SU-2021:3444-1","SUSE-SU-2022:3939-1","openSUSE-SU-2021:1366-1","openSUSE-SU-2021:2682-1","openSUSE-SU-2021:2685-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMGXO3W6DHPO62GJ4VVF5DEUX5DRUR5K/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHRPNBCRPDJHHQE3MBPSZK4H7X2IM7AC/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILPBTPSBRYL4POBI3F4YUSVPSOQNJBY/"},{"type":"ADVISORY","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1934125"},{"type":"ADVISORY","url":"https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202107-43"},{"type":"ADVISORY","url":"https://www.starwindsoftware.com/security/sw-20220805-0002/"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1934125"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1934125"},{"type":"FIX","url":"https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rpm-software-management/rpm","events":[{"introduced":"0"},{"fixed":"d6a86b5e69e46cc283b1e06c92343319beb42e21"},{"introduced":"8c6c17759781da75c6aff861fab721d91269c0f9"},{"fixed":"a8eade3f53f9c64543813eac8cd5dad392eaae3b"},{"introduced":"cd7f9303ef1070f027493cad7d00bc66935af2a0"},{"fixed":"3659b8a04f5b8bacf6535e0124e7fe23f15286bd"}]}],"versions":["rpm-4.16.0-release","rpm-4.16.1-release","rpm-4.16.1.1-release","rpm-4.16.1.2-release"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","target":{"function":"rpmReadPackageFile","file":"lib/package.c"},"digest":{"length":1162,"function_hash":"20048171095207656906286157320215457454"},"source":"https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21","signature_type":"Function","deprecated":false,"id":"CVE-2021-20271-a263355a"},{"target":{"function":"headerMergeLegacySigs","file":"lib/package.c"},"signature_version":"v1","digest":{"length":1479,"function_hash":"42007002990315704298120220962834331013"},"signature_type":"Function","deprecated":false,"source":"https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21","id":"CVE-2021-20271-bb178e26"},{"target":{"file":"lib/package.c"},"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["24275801739176814445790225036514810367","146449676550170976494015790418581282484","59692120730519522461031139487139021994","237438668882707351528086875273107835415","188253714955682294875770722574693963655","95712636666319716016571947362863082458","92311055355198149853447891803132470773","42131774137503273138337216115590656444","153884652419611992565169832839796207502","74644144116301880418020155257845471982","2104988193872832483380127340680905878","234443884060578478950190847478188321346","167475506737928333071182665248974898425","157394582667230566873922788279107459757","82059186512116620320158458564266100352","233485225200727645330135368487841999587","85657501174146104478799331414154896576","174870900622258089107480236762771057153","34907199479596137037591206953449485309","321147128575744151003330869327601389016","303393578101490065906516034843403880281","318437721489588304315821989682496995184","38006337004050367849014125494971575537","175061254615743437520094884364105697233","77363606146383857009656345556156423230","186480394492936430498021022304037294784","181770857753770097517746901524745191908","30913405040175035534764784102056841699","236889513680266079035851799639803890533","194114407232039335095556079570329067676","249022990065958714816111991339255160395","54960641298191277884886659083762790780","127992657957590043811760327646776932046","304698036602247774143869017978433554732","250744351131081829530625072565675217722","36656784869560343249949288503597589348","170547716959680533076677559189261145640","121713541064240962798640750646580808579","186762389796691736500395706047092641008","23200626527644494473308427936974857811","154918870431555591112890759389551536328","291858413894433898125463120663368392364","225718472791953043972022796009114754190","108801656677693814302435191275033585710","193447927343475926499602080310565766494","113550618227067861099788710945551064385","274435711931836628681103840266923684609","108891629451031021363620012033597097014","157902946756436242482462236470357416589","304063467140049501021933125641651087250","102707166771665844076021244975419672366","294336125026284019428175307101295050889","116851542740175563369683430539555981016","216200495206398465997049687262527180217","79191873615801662582418252464382605832","164978430970920805091239061673019719106","282921449663537929048759682202928539995","90973143989974989522332153355976316126","287245724537977820385873217815643351515","44802529730012567971170220922554565749","268690657842368192836387303599115813050","144010947238307124958539323349633054015","14672178449306596253776894693424682853","254948836728881060187961985032227148746","224914003870438559021890205490402143160","96805489812739485968183963160616398206","236564457060156221558607823212047790920","48978219028165198047704726192602746515","297977904474851821660162425641097275999","8984916548224638021709965003739438299","255246192547716801015089390704859725892","33918144162416462101818060040215351961","170964427126840192885688019616971642955","105311074047723310597162550352577188475","67340489106477276261440066076091306008","61220301857844028518512203141058005866","25397590813383690955468288709214786215","68862407019424048919648730631461319197"]},"source":"https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21","signature_type":"Line","deprecated":false,"id":"CVE-2021-20271-c02cf37b"}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-20271.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}