[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2014-0022 insecure install of rpm packages via yum cron
From: "Vincent Danen" <vdanen () redhat ! com>
Date: 2014-01-23 23:46:54
Message-ID: 966D5BC4-E4E8-45FE-89B9-C4A92B11A648 () redhat ! com
[Download RAW message or body]
Just wanted to give a heads up of a flaw that was reported to our bugzilla. Our primary bug on \
this is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1057377
I'm just going to cut-n-paste what I wrote in the bug. Obviously no CVE needs to be assigned; \
this is for others who may be shipping yum.
Gabriel VLASIU reported [1] that yum-cron would install unsigned RPM packages that yum itself \
would refuse to install. The yum-cron code is based on that in yum-updatesd.py. This is due \
to the installUpdates() function (processPkgs() in yum-updatesd.py) failing to fully check the \
return code of the called sigCheckPkg() function. sigCheckPkg() is described thus:
def sigCheckPkg(self, po):
"""Verify the GPG signature of the given package object.
:param po: the package object to verify the signature of
:return: (result, error_string)
where result is::
0 = GPG signature verifies ok or verification is not required.
1 = GPG verification failed but installation of the right GPG key
might help.
2 = Fatal GPG verification error, give up.
"""
However, the processPkgs() and installUpdates() calling function do not account for return code \
2:
def processPkgs(self, dlpkgs):
...
for po in dlpkgs:
result, err = self.updd.sigCheckPkg(po)
if result == 0:
continue
elif result == 1:
try:
self.updd.getKeyForPackage(po)
except yum.Errors.YumBaseError, errmsg:
self.failed([str(errmsg)])
and:
def installUpdates(self, emit):
...
for po in dlpkgs:
result, err = self.sigCheckPkg(po)
if result == 0:
continue
elif result == 1:
try:
self.getKeyForPackage(po)
except yum.Errors.YumBaseError, errmsg:
self.emitUpdateFailed(errmsg)
return False
yum-cron.py replaced yum-cron.sh in Fedora 19 (3.4.3-47); earlier versions of Fedora use \
yum-updatesd.
This has been corrected upstream [2] and in Fedora via yum-3.4.3-132.fc19 and \
yum-3.4.3-130.fc20.
This does not affect Red Hat Enterprise Linux 6 as it used neither yum-updatesd nor yum-cron; \
it used a shellscript that called yum itself to do updates.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1052440
[2] http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=9df69e579496ccb6df5c3f5b5b7bab8d648b06b4
--
Vincent Danen / Red Hat Security Response Team
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQGcBAEBAgAGBQJS4anuAAoJEJS+gzzouGyr7wcMAJwexmW7jUD/eTxarrMAa03P
s5fGf7nB+4OMmUUAxIjtN50gSOD6je9MewSbZOWv7yfJo1QHpJ/HalNtMS86M5wE
8FrC8D/yMq3g6WSsf9iSnVJkzlZcS22zoy6gc3NJ/9bHrLgNJbkb+WbgU4lohn2Z
yE1MJ8sSL8UZ/ej822Sd/uZvlqKd9CM34ojepCITggLWjwiNa2hAgWcQ2sedp3k6
/kzAOIi7cHvtFelzTjc/+PRWo0JqA6iSAclzs6eC8cjz/4Dym01YE9mRfFMxu+id
fXT0xKsDCHa2LYiveMUlnXrivTnF6hHOY45zkaz2Zm1snTcz2A8DkjSUp40V0FfC
R8Mr+oNYCghFb6Wddn5IAYScGsCB1TlabMhTR9H7/sA0++Tslyhx5CSBivG1P6LC
xxdfK98pQYRB+xItd2yXO9a90wFhyyyErJgzINQt+GdMvdxH0CD/UuiCuD5pqq+r
0IPyLO/rYUynTIKqs9hPxOGNAmivmnJMbUbuNwIMng==
=vXfK
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic