Risk of using rpm parser?
R P Herrold
herrold at owlriver.com
Tue Mar 4 03:32:40 UTC 2014
On Mon, 3 Mar 2014, Miroslav Suchý wrote:
> Imagine you are attacker. You can submit to target server (Copr) whatever
> src.rpm you want. That srpm will be build in VM, which will be then
> terminated. But you know that the server will use queries using python-rpm on
> final binary rpm files.
The srpm contains a .spec file. Spec files have full access
to whatever they wish to specify to pull in via BuildRequires.
As such they have access to a Turing Complete environment
If there is an exploit to escape from a VM into the parent
hosting environment (there were previously disclosed known
ones, and one has to assume more lurking), one can 'leave
behind' whatever hostile payload one wishes
-- Russ herrold
More information about the Rpm-list