YUM cron insecure install of rpm packages

2014.01.24
Credit: Vincent Danen
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2014-0022
CWE: CWE-20


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Just wanted to give a heads up of a flaw that was reported to our bugzilla. Our primary bug on this is here: https://bugzilla.redhat.com/show_bug.cgi?id=1057377 I'm just going to cut-n-paste what I wrote in the bug. Obviously no CVE needs to be assigned; this is for others who may be shipping yum. Gabriel VLASIU reported [1] that yum-cron would install unsigned RPM packages that yum itself would refuse to install. The yum-cron code is based on that in yum-updatesd.py. This is due to the installUpdates() function (processPkgs() in yum-updatesd.py) failing to fully check the return code of the called sigCheckPkg() function. sigCheckPkg() is described thus: def sigCheckPkg(self, po): """Verify the GPG signature of the given package object. :param po: the package object to verify the signature of :return: (result, error_string) where result is:: 0 = GPG signature verifies ok or verification is not required. 1 = GPG verification failed but installation of the right GPG key might help. 2 = Fatal GPG verification error, give up. """ However, the processPkgs() and installUpdates() calling function do not account for return code 2: def processPkgs(self, dlpkgs): ... for po in dlpkgs: result, err = self.updd.sigCheckPkg(po) if result == 0: continue elif result == 1: try: self.updd.getKeyForPackage(po) except yum.Errors.YumBaseError, errmsg: self.failed([str(errmsg)]) and: def installUpdates(self, emit): ... for po in dlpkgs: result, err = self.sigCheckPkg(po) if result == 0: continue elif result == 1: try: self.getKeyForPackage(po) except yum.Errors.YumBaseError, errmsg: self.emitUpdateFailed(errmsg) return False yum-cron.py replaced yum-cron.sh in Fedora 19 (3.4.3-47); earlier versions of Fedora use yum-updatesd. This has been corrected upstream [2] and in Fedora via yum-3.4.3-132.fc19 and yum-3.4.3-130.fc20. This does not affect Red Hat Enterprise Linux 6 as it used neither yum-updatesd nor yum-cron; it used a shellscript that called yum itself to do updates. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1052440 [2] http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=9df69e579496ccb6df5c3f5b5b7bab8d648b06b4 -- Vincent Danen / Red Hat Security Response Team

References:

https://bugzilla.redhat.com/show_bug.cgi?id=1052440
http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=9df69e579496ccb6df5c3f5b5b7bab8d648b06b4
http://seclists.org/oss-sec/2014/q1/146
https://bugzilla.redhat.com/show_bug.cgi?id=1057377


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top