CVE-2018-7685

The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow installation, a problem caused by malicious warnings only displayed during download.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
Affected Products (NVD)
VendorProductVersion
opensuselibzypp
𝑥
< 17.5.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libzypp
bookworm
17.25.7-2.4
fixed
bullseye
17.25.7-1
fixed
jessie
ignored
sid
17.35.12-1
fixed
trixie
17.35.12-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libzypp
bionic
dne
cosmic
not-affected
disco
not-affected
eoan
not-affected
focal
not-affected
groovy
dne
hirsute
not-affected
impish
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
needed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libsolv-devel
suse enterprise desktop 15
0.6.35-3.5.2
fixed
suse enterprise sap 15
0.6.35-3.5.2
fixed
suse enterprise server 15
0.6.35-3.5.2
fixed
libsolv-tools
suse enterprise desktop 15
0.6.35-3.5.2
fixed
suse enterprise sap 15
0.6.35-3.5.2
fixed
suse enterprise server 15
0.6.35-3.5.2
fixed
libzypp
suse enterprise desktop 15
17.6.4-3.10.1
fixed
suse enterprise desktop 15 SP1
17.11.4-1.8
fixed
suse enterprise desktop 15 SP2
17.23.6-1.2
fixed
suse enterprise desktop 15 SP3
17.25.8-3.33.1
fixed
suse enterprise desktop 15 SP4
17.30.0-150400.1.6
fixed
suse enterprise desktop 15 SP5
17.31.8-150400.3.14.1
fixed
suse enterprise desktop 15 SP6
17.32.4-150600.1.2
fixed
suse enterprise desktop 15 SP7
17.36.3-150600.3.50.1
fixed
suse enterprise sap 12 SP3
16.17.20-2.33.2
fixed
suse enterprise sap 15
17.6.4-3.10.1
fixed
suse enterprise sap 15 SP1
17.11.4-1.8
fixed
suse enterprise sap 15 SP2
17.23.6-1.2
fixed
suse enterprise sap 15 SP3
17.25.8-3.33.1
fixed
suse enterprise sap 15 SP4
17.30.0-150400.1.6
fixed
suse enterprise sap 15 SP5
17.31.8-150400.3.14.1
fixed
suse enterprise sap 15 SP6
17.32.4-150600.1.2
fixed
suse enterprise sap 15 SP7
17.36.3-150600.3.50.1
fixed
suse enterprise server 12
14.45.17-2.82.1
fixed
suse enterprise server 12 SP1
15.25.17-46.22.1
fixed
suse enterprise server 12 SP2
16.17.20-27.52.1
fixed
suse enterprise server 12 SP3
16.17.20-2.33.2
fixed
suse enterprise server 15
17.6.4-3.10.1
fixed
suse enterprise server 15 SP1
17.11.4-1.8
fixed
suse enterprise server 15 SP2
17.23.6-1.2
fixed
suse enterprise server 15 SP3
17.25.8-3.33.1
fixed
suse enterprise server 15 SP4
17.30.0-150400.1.6
fixed
suse enterprise server 15 SP5
17.31.8-150400.3.14.1
fixed
suse enterprise server 15 SP6
17.32.4-150600.1.2
fixed
suse enterprise server 15 SP7
17.36.3-150600.3.50.1
fixed
libzypp-devel
suse enterprise desktop 15
17.6.4-3.10.1
fixed
suse enterprise desktop 15 SP1
17.11.4-1.8
fixed
suse enterprise desktop 15 SP2
17.23.6-1.2
fixed
suse enterprise desktop 15 SP3
17.25.8-3.33.1
fixed
suse enterprise desktop 15 SP4
17.30.0-150400.1.6
fixed
suse enterprise desktop 15 SP5
17.31.8-150400.3.14.1
fixed
suse enterprise desktop 15 SP6
17.32.4-150600.1.2
fixed
suse enterprise desktop 15 SP7
17.36.3-150600.3.50.1
fixed
suse enterprise sap 15
17.6.4-3.10.1
fixed
suse enterprise sap 15 SP1
17.11.4-1.8
fixed
suse enterprise sap 15 SP2
17.23.6-1.2
fixed
suse enterprise sap 15 SP3
17.25.8-3.33.1
fixed
suse enterprise sap 15 SP4
17.30.0-150400.1.6
fixed
suse enterprise sap 15 SP5
17.31.8-150400.3.14.1
fixed
suse enterprise sap 15 SP6
17.32.4-150600.1.2
fixed
suse enterprise sap 15 SP7
17.36.3-150600.3.50.1
fixed
suse enterprise server 15
17.6.4-3.10.1
fixed
suse enterprise server 15 SP1
17.11.4-1.8
fixed
suse enterprise server 15 SP2
17.23.6-1.2
fixed
suse enterprise server 15 SP3
17.25.8-3.33.1
fixed
suse enterprise server 15 SP4
17.30.0-150400.1.6
fixed
suse enterprise server 15 SP5
17.31.8-150400.3.14.1
fixed
suse enterprise server 15 SP6
17.32.4-150600.1.2
fixed
suse enterprise server 15 SP7
17.36.3-150600.3.50.1
fixed
perl-solv
suse enterprise desktop 15
0.6.35-3.5.2
fixed
suse enterprise sap 15
0.6.35-3.5.2
fixed
suse enterprise server 15
0.6.35-3.5.2
fixed
python-solv
suse enterprise desktop 15
0.6.35-3.5.2
fixed
suse enterprise sap 15
0.6.35-3.5.2
fixed
suse enterprise server 15
0.6.35-3.5.2
fixed
python3-solv
suse enterprise desktop 15
0.6.35-3.5.2
fixed
suse enterprise sap 15
0.6.35-3.5.2
fixed
suse enterprise server 15
0.6.35-3.5.2
fixed
ruby-solv
suse enterprise desktop 15
0.6.35-3.5.2
fixed
suse enterprise sap 15
0.6.35-3.5.2
fixed
suse enterprise server 15
0.6.35-3.5.2
fixed
zypper
suse enterprise desktop 15
1.14.10-3.7.1
fixed
suse enterprise sap 12 SP3
1.13.45-21.21.2
fixed
suse enterprise sap 15
1.14.10-3.7.1
fixed
suse enterprise server 12
1.11.70-2.69.2
fixed
suse enterprise server 12 SP1
1.12.59-46.10.1
fixed
suse enterprise server 12 SP2
1.13.45-18.33.1
fixed
suse enterprise server 12 SP3
1.13.45-21.21.2
fixed
suse enterprise server 15
1.14.10-3.7.1
fixed
zypper-log
suse enterprise desktop 15
1.14.10-3.7.1
fixed
suse enterprise sap 12 SP3
1.13.45-21.21.2
fixed
suse enterprise sap 15
1.14.10-3.7.1
fixed
suse enterprise server 12
1.11.70-2.69.2
fixed
suse enterprise server 12 SP1
1.12.59-46.10.1
fixed
suse enterprise server 12 SP2
1.13.45-18.33.1
fixed
suse enterprise server 12 SP3
1.13.45-21.21.2
fixed
suse enterprise server 15
1.14.10-3.7.1
fixed
Common Weakness Enumeration
References
http://lists.suse.com/pipermail/sle-security-updates/2018-August/004510.html
https://bugzilla.suse.com/show_bug.cgi?id=1091624
https://www.suse.com/de-de/security/cve/CVE-2018-7685/
http://lists.suse.com/pipermail/sle-security-updates/2018-August/004510.html
https://bugzilla.suse.com/show_bug.cgi?id=1091624
https://www.suse.com/de-de/security/cve/CVE-2018-7685/