oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Multiple vulnerabilities in RPM

From: Demi Marie Obenour <demi () invisiblethingslab com>
Date: Tue, 4 May 2021 03:53:38 -0400
Through a combination of manual audits and fuzzing, I found several
vulnerabilities in RPM:

- RPM does not reject packages that have a signed header, but neither a
  header+payload signature nor a payload digest.  Furthermore, `rpmkeys
  -K` reports `digests signatures OK` for such packages. Such a package
  is obviously not validly signed, but RPM nevertheless accepts it.
  This can be mitigated by setting `%_pkgverify_level` to `signature`
  or `all`.  I consider it a vulnerability as it violates an assumption
  made by much of the RPM ecosystem: if a package has any signatures,
  RPM will (by default) error out when trying to install it, unless
  the entire package has been properly signed by a trusted key.
  
- RPM’s parser for OpenPGP packets has multiple memory unsafety
  issues, including out-of-bounds reads and out-of-bounds pointer
  arithmetic.  On 32-bit systems, integer overflows and an infinite
  loop are also possible.  It may be possible to use this vulnerability
  to modify a package (that is signed by a trusted key) such that
  it still validates as properly signed, but installing it corrupts
  the RPMDB.
  
I also found two issues that are not vulnerabilities per se, but which
I still believe should be fixed:

- RPM accepts signatures that are followed by other OpenPGP packets,
  which are not valid.  This opens additional attack surface.

- RPM does not (obviously) reject signatures that are of an incorrect
  type.  I am not sure that they do not wind up being rejected in other
  ways, and even if they are not, I am not sure if this is helpful to
  an attacker.  But the fix is trivial, so I included it in the patch.
  
The attached patches fix both issues.  The patch sent to distros@ had a
(non-exploitable) integer overflow bug on 32-bit systems, as was pointed
out by Seth Arnold.

Sincerely,

Demi Marie Obenour
she/her/hers
Qubes OS Developer, Invisible Things Lab

Attachment: 0001-Fix-OpenPGP-parsing-bugs.patch
Description: Patch for the OpenPGP parser vulnerabilities

Attachment: 0002-Header-signatures-alone-are-not-sufficient.patch
Description: Patch for the signature validation vulnerability

Attachment: signature.asc
Description:

Previous By Date Next
Previous By Thread Next

Current thread: