oss-sec mailing list archives
Re: CVE Request -- yum: Not removing bad metadata and using it in next run
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 29 Mar 2013 14:18:38 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/27/2013 10:25 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors, A security flaw was found in the way Yum package manager performed management of repository metadata in certain circumstances (bad metadata were not removed properly and re-used in subsequent run). An attacker could inject a specially-crafted Trojan horse file in the metadata of a remote repository, possibly leading to their ability to confuse Yum package manager to accept invalid untrusted metadata as valid by mistake. References: [1] https://bugzilla.redhat.com/show_bug.cgi?id=910446 [2] http://lists.fedoraproject.org/pipermail/package-announce/2013-March/099496.html
[3] http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100299.html
[4] https://lwn.net/Articles/540426/ (and search for 'yum: denial of service' here) Relevant upstream patch: [5] http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=c148eb10b798270b3d15087433c8efb2a79a69d0 This issue was found by James Antill of Red Hat. Could you allocate a CVE id for this?
Please use CVE-2013-1910 for this issue.
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team P.S.: For those possibly wondering why [2] and [3] are public already - it's true this has been fixed some time ago already (but I wasn't around at that time) and better to request later, than never. Thank you for your understanding, Jan.
- -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRVfcdAAoJEBYNRVNeJnmT0icP/2/mj5ZfbwYNExpYMfcdmJM/ 6CS4HpwFnTGXls81EpKejdZm92YmjCAMV4sKgSa46VCjEKnCoVDz17drd9NrgMc5 YqRbDzCoXI45+wZAGgEP4gjNG9LAuKN1v7Z+9I2Z6nptObmIUDy/d4xlI1ISUelI KtfS4fXZktITn4MI/fMIHZzEoctPYRlhz+yeaAJpLcC9VMoBnfp5Ac8bvYFCj4M6 L7yYB5gED+y44hfxSJc06GSXqCz8YbkNlcPnTcpox1C8C+jj4zyqmFHLOodVcbGI qF3ZkYppLrZ5qzDCHKsBwKFcVsrkVAoT689JD//yg4kQAlU5xxiE6+By21MxEzYI o6dkM2lFM8+23/Hetm99pOZ2hUh12KlM9zFdNVjPZ30uLaGdmB6MbmiGPqWwt81S 6Z+q4dFY/hEKE5CFhGEDU/GWyEB4W3zx/3bpCkIwCkpCfJ/JsxwV07Hx+4g+wYky W+vvVTSzhPtQSGpSEDz2ADIcFOfdUr69AsbtjVgP2W4Gmkd+5AuipmVQui0aZfHP VEmB/SbmgYqGCVU01JAOVkVT8Mh2du4XhNSJp9udivvY8DZioKstrrFtTzJ8W0tZ ua28gwLUEXQwlWks7roag0k6zoIh7bVytsVmmvT0TlQYMK9DcSgLcmCu8aejyjZK 3nKxKHGyJU+M+dfFg/Rc =xgnU -----END PGP SIGNATURE-----
Current thread:
- CVE Request -- yum: Not removing bad metadata and using it in next run Jan Lieskovsky (Mar 27)
- Re: CVE Request -- yum: Not removing bad metadata and using it in next run Kurt Seifried (Mar 29)