Re: CVE Request -- yum: Not removing bad metadata and using it in next run

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/27/2013 10:25 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
> A security flaw was found in the way Yum package manager performed
> management of repository metadata in certain circumstances (bad
> metadata were not removed properly and re-used in subsequent run).
> An attacker could inject a specially-crafted Trojan horse file in
> the metadata of a remote repository, possibly leading to their
> ability to confuse Yum package manager to accept invalid untrusted 
> metadata as valid by mistake.
>
> References: [1] https://bugzilla.redhat.com/show_bug.cgi?id=910446 
> [2]
> http://lists.fedoraproject.org/pipermail/package-announce/2013-March/099496.html
[3]
http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100299.html
> [4] https://lwn.net/Articles/540426/ (and search for 'yum: denial
> of service' here)
>
> Relevant upstream patch: [5]
> http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=c148eb10b798270b3d15087433c8efb2a79a69d0
>
>  This issue was found by James Antill of Red Hat.
>
> Could you allocate a CVE id for this?

Please use CVE-2013-1910 for this issue.

> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
>
> P.S.: For those possibly wondering why [2] and [3] are public
> already - it's true this has been fixed some time ago already (but
> I wasn't around at that time) and better to request later, than
> never.
>
> Thank you for your understanding, Jan.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRVfcdAAoJEBYNRVNeJnmT0icP/2/mj5ZfbwYNExpYMfcdmJM/
6CS4HpwFnTGXls81EpKejdZm92YmjCAMV4sKgSa46VCjEKnCoVDz17drd9NrgMc5
YqRbDzCoXI45+wZAGgEP4gjNG9LAuKN1v7Z+9I2Z6nptObmIUDy/d4xlI1ISUelI
KtfS4fXZktITn4MI/fMIHZzEoctPYRlhz+yeaAJpLcC9VMoBnfp5Ac8bvYFCj4M6
L7yYB5gED+y44hfxSJc06GSXqCz8YbkNlcPnTcpox1C8C+jj4zyqmFHLOodVcbGI
qF3ZkYppLrZ5qzDCHKsBwKFcVsrkVAoT689JD//yg4kQAlU5xxiE6+By21MxEzYI
o6dkM2lFM8+23/Hetm99pOZ2hUh12KlM9zFdNVjPZ30uLaGdmB6MbmiGPqWwt81S
6Z+q4dFY/hEKE5CFhGEDU/GWyEB4W3zx/3bpCkIwCkpCfJ/JsxwV07Hx+4g+wYky
W+vvVTSzhPtQSGpSEDz2ADIcFOfdUr69AsbtjVgP2W4Gmkd+5AuipmVQui0aZfHP
VEmB/SbmgYqGCVU01JAOVkVT8Mh2du4XhNSJp9udivvY8DZioKstrrFtTzJ8W0tZ
ua28gwLUEXQwlWks7roag0k6zoIh7bVytsVmmvT0TlQYMK9DcSgLcmCu8aejyjZK
3nKxKHGyJU+M+dfFg/Rc
=xgnU
-----END PGP SIGNATURE-----