oss-sec mailing list archives
CVE Request -- yum: Not removing bad metadata and using it in next run
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 27 Mar 2013 12:25:13 -0400 (EDT)
Hello Kurt, Steve, vendors, A security flaw was found in the way Yum package manager performed management of repository metadata in certain circumstances (bad metadata were not removed properly and re-used in subsequent run). An attacker could inject a specially-crafted Trojan horse file in the metadata of a remote repository, possibly leading to their ability to confuse Yum package manager to accept invalid untrusted metadata as valid by mistake. References: [1] https://bugzilla.redhat.com/show_bug.cgi?id=910446 [2] http://lists.fedoraproject.org/pipermail/package-announce/2013-March/099496.html [3] http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100299.html [4] https://lwn.net/Articles/540426/ (and search for 'yum: denial of service' here) Relevant upstream patch: [5] http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=c148eb10b798270b3d15087433c8efb2a79a69d0 This issue was found by James Antill of Red Hat. Could you allocate a CVE id for this? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: For those possibly wondering why [2] and [3] are public already - it's true this has been fixed some time ago already (but I wasn't around at that time) and better to request later, than never. Thank you for your understanding, Jan.
Current thread:
- CVE Request -- yum: Not removing bad metadata and using it in next run Jan Lieskovsky (Mar 27)
- Re: CVE Request -- yum: Not removing bad metadata and using it in next run Kurt Seifried (Mar 29)