Bug 1941098 (CVE-2021-3521)
Summary: | CVE-2021-3521 rpm: RPM does not require subkeys to have a valid binding signature | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Todd Cullum <tcullum> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | caswilli, dkuc, ffesti, igor.raits, jberan, kaycoth, mdomonko, mjw, mseri, packaging-team-maint, pmatilai, pmoravco, psegedy, sbueno, security-response-team, vmugicag, vmukhame, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature."[1] RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity.
1. https://tools.ietf.org/html/rfc4880#section-5.2.1
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-03-02 22:19:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1944184, 1944185, 1944186, 1944193, 1943723, 1943724, 1944187, 1944188, 1944189, 1944190, 1944191, 1944192, 1944194, 1958478, 1958479, 1958480, 2022537 | ||
Bug Blocks: | 1937505 |
Description
Todd Cullum
2021-03-19 23:22:25 UTC
Acknowledgments: Name: Demi M. Obenour Statement: To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources. Upstream fix commit: https://github.com/rpm-software-management/rpm/pull/1788 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0254 https://access.redhat.com/errata/RHSA-2022:0254 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0368 https://access.redhat.com/errata/RHSA-2022:0368 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:0634 https://access.redhat.com/errata/RHSA-2022:0634 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3521 |