[Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked or expired (#1598)

Florian Festi notifications at github.com
Mon Jul 5 07:41:18 UTC 2021


> @dmantipov Is there a CVE associated with this vulnerability?
> I'm asking so that I can keep an eye out for the fix.
> 
> Also, on a different note, any idea if package managers that reply on rpm are vulnerable as well? Yum and Zypper for instance.

OK, as there is some confusion here: There is no CVE (AFAIK) and there should not be a CVE. This is not a vulnerability. This is a basic misunderstanding on how rpm works.
RPM by design works on the local system only and does not look things up on the internet. It does not make decisions on its own but relies the user or other tools to be told what needs to be done - including adding or removing key. The RPM way of no longer trusting a key is to remove it from the RPM DB. This works just fine.

This does not mean that the current situation does not leave things to be desired as withdrawing a key requires quite some effort like issuing an updated that removes the key or using some  sort of automation for local setups.

But the topic is much more complicated than just adding support for GPG revocation keys to RPM. First the actual key look up and check needs to go into the updater level (e.g. dnf and zypper) as they are dealing with things on the network. More important than removing a key is probably a way to add a new one when the current one is no longer trusted. Just breaking (automatic) updates for everyone is not a great solution. And there are probably more things to consider. Some are already mentioned above.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-873881324
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210705/1af858eb/attachment.html>


More information about the Rpm-maint mailing list