Risk of using rpm parser?
fweimer at redhat.com
Mon Mar 3 12:11:41 UTC 2014
On 03/03/2014 10:43 AM, Miroslav Suchý wrote:
> Imagine you are attacker. You can submit to target server (Copr)
> whatever src.rpm you want. That srpm will be build in VM, which will be
> then terminated. But you know that the server will use queries using
> python-rpm on final binary rpm files.
Parsing the src.rpm is unsafe (or more precisely, the spec file in it).
This is by design, no exploit is needed.
Parsing the final RPMs can be made safe in theory, especially if the
contents is not extracted to the file system. I don't know if the
Python bindings encourage any questionable practices (such as macro
expansion in headers read from the RPMs), but that would be bugs. If
you can extract the data you need in the builder VM, it's probably best
to do it there. But if the data structures for representing it are
complex, you might have fewer bugs if you go directly for the RPM.
There's also the question what happens if the untrusted builder VM lies
about properties of the RPMs.
Florian Weimer / Red Hat Product Security Team
More information about the Rpm-list