VulnerableCode Package Details - pkg:deb/debian/rpm@4.18.0%2Bdfsg-1%2Bdeb12u1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1u15-f8nm-7fch	It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.	CVE-2021-35939
VCID-4kmk-bhgz-53hp	There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources.	CVE-2021-3521
VCID-srvp-hxzh-1kd9	A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.	CVE-2021-35937
VCID-vp2c-gc67-zfah	A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.	CVE-2021-35938

Vulnerability

Summary

Aliases

VCID-1u15-f8nm-7fch

It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVE-2021-35939

VCID-4kmk-bhgz-53hp

There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources.

CVE-2021-3521

VCID-srvp-hxzh-1kd9

A race condition vulnerability was found in rpm. A local unprivileged user could use this flaw to bypass the checks that were introduced in response to CVE-2017-7500 and CVE-2017-7501, potentially gaining root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVE-2021-35937

VCID-vp2c-gc67-zfah

A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVE-2021-35938

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T12:59:53.668417+00:00	Debian Importer	Fixing	VCID-4kmk-bhgz-53hp	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-08-01T12:45:42.306890+00:00	Debian Importer	Fixing	VCID-vp2c-gc67-zfah	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-08-01T12:45:40.816573+00:00	Debian Importer	Fixing	VCID-1u15-f8nm-7fch	https://security-tracker.debian.org/tracker/data/json	37.0.0
2025-08-01T12:33:37.883144+00:00	Debian Importer	Fixing	VCID-srvp-hxzh-1kd9	https://security-tracker.debian.org/tracker/data/json	37.0.0