[Rpm-maint] [rpm-software-management/rpm] Multiple vulnerabilities in RPM (#1671)

Demi Marie Obenour notifications at github.com
Wed May 5 04:30:50 UTC 2021 

Through a combination of manual audits and fuzzing, I found several
vulnerabilities in RPM:

- RPM does not reject packages that have a signed header, but neither a
  header+payload signature nor a payload digest.  Furthermore, `rpmkeys
  -K` reports `digests signatures OK` for such packages. Such a package
  is obviously not validly signed, but RPM nevertheless accepts it.
  This can be mitigated by setting `%_pkgverify_level` to `signature`
  or `all`.  I consider it a vulnerability as it violates an assumption
  made by much of the RPM ecosystem: if a package has any signatures,
  RPM will (by default) error out when trying to install it, unless
  the entire package has been properly signed by a trusted key.
  
- RPM’s parser for OpenPGP packets has multiple memory unsafety
  issues, including out-of-bounds reads and out-of-bounds pointer
  arithmetic.  On 32-bit systems, integer overflows and an infinite
  loop are also possible.  It may be possible to use this vulnerability
  to modify a package (that is signed by a trusted key) such that
  it still validates as properly signed, but installing it corrupts
  the RPMDB.
  
I also found two issues that are not vulnerabilities per se, but which
I still believe should be fixed:

- RPM accepts signatures that are followed by other OpenPGP packets,
  which are not valid.  This opens additional attack surface.

- RPM does not (obviously) reject signatures that are of an incorrect
  type.  I am not sure that they do not wind up being rejected in other
  ways, and even if they are not, I am not sure if this is helpful to
  an attacker.  But the fix is trivial, so I included it in the patch.

These vulnerabilities are no longer under embargo as of May 4, 2021.  See https://www.openwall.com/lists/oss-security/2021/05/04/2.
You can view, comment on, or merge this pull request online at:

  https://github.com/rpm-software-management/rpm/pull/1671

-- Commit Summary --

  * Simplify OpenSSL crypto code
  * Avoid double frees if EVP_PKEY_assign_RSA fails
  * Fix OpenPGP parsing bugs
  * Header signatures alone are not sufficient
  * Fuzz harness for rpmReadPackageFile() and pgpPrtParams()
  * Fix an undefined shift in the expression evaluator

-- File Changes --

    M lib/package.c (39)
    M lib/rpmvs.c (14)
    M rpmio/digest_openssl.c (88)
    M rpmio/expression.c (2)
    M rpmio/rpmlog.c (2)
    M rpmio/rpmlog.h (4)
    M rpmio/rpmpgp.c (185)
    M rpmio/rpmpgp.h (4)
    A tests/data/RPMS/hello-2.0-1.x86_64-corrupted.rpm (0)
    M tests/rpmsigdig.at (40)

-- Patch Links --

https://github.com/rpm-software-management/rpm/pull/1671.patch
https://github.com/rpm-software-management/rpm/pull/1671.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1671
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210504/ed0ad57a/attachment.html>

More information about the Rpm-maint mailing list