Risk of using rpm parser?

R P Herrold herrold at owlriver.com
Tue Mar 4 03:32:40 UTC 2014

On Mon, 3 Mar 2014, Miroslav Suchý wrote:

> Imagine you are attacker. You can submit to target server (Copr) whatever
> src.rpm you want. That srpm will be build in VM, which will be then
> terminated. But you know that the server will use queries using python-rpm on
> final binary rpm files.

The srpm contains a .spec file.  Spec files have full access 
to whatever they wish to specify to pull in via BuildRequires.  
As such they have access to a Turing Complete environment

If there is an exploit to escape from a VM into the parent 
hosting environment (there were previously disclosed known 
ones, and one has to assume more lurking), one can 'leave 
behind' whatever hostile payload one wishes

-- Russ herrold

More information about the Rpm-list mailing list