Risk of using rpm parser?

Florian Weimer fweimer at redhat.com
Mon Mar 3 12:11:41 UTC 2014

On 03/03/2014 10:43 AM, Miroslav Suchý wrote:

> Imagine you are attacker. You can submit to target server (Copr)
> whatever src.rpm you want. That srpm will be build in VM, which will be
> then terminated. But you know that the server will use queries using
> python-rpm on final binary rpm files.

Parsing the src.rpm is unsafe (or more precisely, the spec file in it). 
  This is by design, no exploit is needed.

Parsing the final RPMs can be made safe in theory, especially if the 
contents is not extracted to the file system.  I don't know if the 
Python bindings encourage any questionable practices (such as macro 
expansion in headers read from the RPMs), but that would be bugs.  If 
you can extract the data you need in the builder VM, it's probably best 
to do it there.  But if the data structures for representing it are 
complex, you might have fewer bugs if you go directly for the RPM.

There's also the question what happens if the untrusted builder VM lies 
about properties of the RPMs.

Florian Weimer / Red Hat Product Security Team

More information about the Rpm-list mailing list