-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use RPMSIG_SIGNATURE_TYPE and rpmcliVerifySignatures() for all RPM-based signature verification #307
Comments
@DemiMarie do you have some more details about the nature of CVE-2021-3445? Why should be calling ::rpmcliVerifySignatures more secure than ::rpmVerifySignatures, which is what zypp calls (plus parsing the output to grep keyids and unsigned packages). Do you happen to have some 'bad' package we can use for testing? |
rpmVerifySignatures and rpmcliVerifySignatures are pretty much the same. The difference is that you can verify multiple rpms with rpmcliVerifySignatures. I don't see any other meaningful difference. Mayby this is about |
Wait, I mixed up SetVfyLevel() with SerVfyFlags. |
|
Libzypp already checks the output of the signature verification and (if configured) rejects packages with no signature anyway, so this is not needed. |
@DemiMarie do you have some more details about the nature of CVE-2021-3445? Why should be calling ::rpmcliVerifySignatures be more secure than ::rpmVerifySignatures, which is what zypp calls (plus parsing the output to grep keyids and unsigned packages). Where do you think our code is vulnerable, or was his issue just filed to make us aware of the CVE? |
CVE-2021-3445 is a signature verification bypass in libdnf: it turns out that old versions of librpm (before the CVE-2021-3421 fix) allow for signatures to be located in the immutable header, which RPM will not check. This allowed libdnf to be tricked into thinking a package was validly signed when it was not. Using
As per discussion with Red Hat Product Security, RPM does not guarantee that signatures will be checked unless |
Thanks. We'll review the code. |
This is not sufficient; details have been sent privately to SUSE security. |
This is libzypp’s version of CVE-2021-3445. Only users who have turned off repository signature verification for at least one repository are vulnerable, unlike DNF which is vulnerable by default. See rpm-software-management/libdnf#1179 and rpm-software-management/dnf#1752.
Reporting publicly because this is already public in other repositories and because default configurations are not vulnerable.
The text was updated successfully, but these errors were encountered: