oss-sec mailing list archives
Multiple vulnerabilities in RPM
From: Demi Marie Obenour <demi () invisiblethingslab com>
Date: Tue, 4 May 2021 03:53:38 -0400
Through a combination of manual audits and fuzzing, I found several vulnerabilities in RPM: - RPM does not reject packages that have a signed header, but neither a header+payload signature nor a payload digest. Furthermore, `rpmkeys -K` reports `digests signatures OK` for such packages. Such a package is obviously not validly signed, but RPM nevertheless accepts it. This can be mitigated by setting `%_pkgverify_level` to `signature` or `all`. I consider it a vulnerability as it violates an assumption made by much of the RPM ecosystem: if a package has any signatures, RPM will (by default) error out when trying to install it, unless the entire package has been properly signed by a trusted key. - RPM’s parser for OpenPGP packets has multiple memory unsafety issues, including out-of-bounds reads and out-of-bounds pointer arithmetic. On 32-bit systems, integer overflows and an infinite loop are also possible. It may be possible to use this vulnerability to modify a package (that is signed by a trusted key) such that it still validates as properly signed, but installing it corrupts the RPMDB. I also found two issues that are not vulnerabilities per se, but which I still believe should be fixed: - RPM accepts signatures that are followed by other OpenPGP packets, which are not valid. This opens additional attack surface. - RPM does not (obviously) reject signatures that are of an incorrect type. I am not sure that they do not wind up being rejected in other ways, and even if they are not, I am not sure if this is helpful to an attacker. But the fix is trivial, so I included it in the patch. The attached patches fix both issues. The patch sent to distros@ had a (non-exploitable) integer overflow bug on 32-bit systems, as was pointed out by Seth Arnold. Sincerely, Demi Marie Obenour she/her/hers Qubes OS Developer, Invisible Things Lab
Attachment:
0001-Fix-OpenPGP-parsing-bugs.patch
Description: Patch for the OpenPGP parser vulnerabilities
Attachment:
0002-Header-signatures-alone-are-not-sufficient.patch
Description: Patch for the signature validation vulnerability
Attachment:
signature.asc
Description:
Current thread:
- Multiple vulnerabilities in RPM Demi Marie Obenour (May 04)