oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2014-0022 insecure install of rpm packages via yum cron

From: "Vincent Danen" <vdanen () redhat com>
Date: Thu, 23 Jan 2014 16:46:54 -0700
Just wanted to give a heads up of a flaw that was reported to our bugzilla.  Our primary bug on this is here:

https://bugzilla.redhat.com/show_bug.cgi?id=1057377

I'm just going to cut-n-paste what I wrote in the bug.  Obviously no CVE needs to be assigned; this is for others who 
may be shipping yum.

Gabriel VLASIU reported [1] that yum-cron would install unsigned RPM packages that yum itself would refuse to install.  
The yum-cron code is based on that in yum-updatesd.py.  This is due to  the installUpdates() function (processPkgs() in 
yum-updatesd.py) failing to fully check the return code of the called sigCheckPkg() function.  sigCheckPkg() is 
described thus:

    def sigCheckPkg(self, po):
        """Verify the GPG signature of the given package object.

        :param po: the package object to verify the signature of
        :return: (result, error_string)
           where result is::

              0 = GPG signature verifies ok or verification is not required.
              1 = GPG verification failed but installation of the right GPG key
                    might help.
              2 = Fatal GPG verification error, give up.
        """

However, the processPkgs() and installUpdates() calling function do not account for return code 2:

    def processPkgs(self, dlpkgs):
...
        for po in dlpkgs:
            result, err = self.updd.sigCheckPkg(po)
            if result == 0:
                continue
            elif result == 1:
                try:
                    self.updd.getKeyForPackage(po)
                except yum.Errors.YumBaseError, errmsg:
                    self.failed([str(errmsg)])

and:

    def installUpdates(self, emit):
...
        for po in dlpkgs:
            result, err = self.sigCheckPkg(po)
            if result == 0:
                continue
            elif result == 1:
                try:
                    self.getKeyForPackage(po)
                except yum.Errors.YumBaseError, errmsg:
                    self.emitUpdateFailed(errmsg)
                    return False

yum-cron.py replaced yum-cron.sh in Fedora 19 (3.4.3-47); earlier versions of Fedora use yum-updatesd.

This has been corrected upstream [2] and in Fedora via yum-3.4.3-132.fc19 and yum-3.4.3-130.fc20.

This does not affect Red Hat Enterprise Linux 6 as it used neither yum-updatesd nor yum-cron; it used a shellscript 
that called yum itself to do updates.


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1052440
[2] http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=9df69e579496ccb6df5c3f5b5b7bab8d648b06b4

-- 
Vincent Danen / Red Hat Security Response Team

Attachment: signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: