Bug 1052994

Summary: CVE-2014-0022 yum: yum-cron installs unsigned packages [rhel-7.0]
Product: Red Hat Enterprise Linux 7 Reporter: Zdeněk Pavlas <zpavlas>
Component: yumAssignee: Valentina Mukhamedzhanova <vmukhame>
Status: CLOSED CURRENTRELEASE QA Contact: Karel Srot <ksrot>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: admiller, extras-orphan, ffesti, firas.alkafri, james.antill, jzeleny, packaging-team-maint, rhel, riehecky, rvokal, vmukhame
Target Milestone: rcKeywords: Security, SecurityTracking
Target Release: ---   
Hardware: noarch   
OS: Linux   
Whiteboard:
Fixed In Version: yum-3.4.3-110.el7 Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 1052440 Environment:
Last Closed: 2014-07-31 07:08:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1057377    

Description Zdeněk Pavlas 2014-01-14 14:46:30 UTC
+++ This bug was initially created as a clone of Bug #1052440 +++

Description of problem:
yum-cron install unsigned packages. This is not acceptable!

Version-Release number of selected component (if applicable):
yum-cron-3.4.3-128.fc19.noarch

Steps to Reproduce:
$ rpmbuild -ba testrpm.spec 
...
Wrote: /home/someuser/work/rpm/SRPMS/testrpm-1.0-1.f19g.src.rpm
Wrote: /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
...
+ exit 0

$ rpmsign --addsign /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
Enter pass phrase: 
Pass phrase is good.
/home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm:

$ yum -y install /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
...
$ rpm -q testrpm
testrpm-1.0-1.f19g.noarch

$ rpmbuild -ba testrpm.spec 
...
Wrote: /home/someuser/work/rpm/SRPMS/testrpm-1.1-1.f19g.src.rpm
Wrote: /home/someuser/work/rpm/RPMS/noarch/testrpm-1.1-1.f19g.noarch.rpm
...
+ exit 0

$ mkdir ~/testrepo
$ cd ~testrepo
$ cp /home/someuser/work/rpm/RPMS/noarch/testrpm-1.1-1.f19g.noarch.rpm .
$ createrepo .
...

$ grep gpgcheck=0 /etc/yum.conf /etc/yum.repos.d/*
$ cat 
[test]
name=test
baseurl=file:///home/someuser/testrepo
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-test
gpgcheck=1
enabled=1

Wait for yum-cron to run via crontab. The email received from cron daemon look like this:

From: Cron Daemon <root@xxxx>
To: root@xxxx
Subject: Cron <root@xxxx> run-parts /etc/cron.hourly

/etc/cron.hourly/0yum-hourly.cron:

Loaded plugins: fastestmirror, post-transaction-actions, priorities,
              : protectbase, remove-with-leaves, rpm-warm-cache, versionlock
Loading mirror speeds from cached hostfile
...
0 packages excluded due to repository protections
Package testrpm-1.1-1.f19g.noarch.rpm is not signed

$ rpm -q testrpm
testrpm-1.1-1.f19g.noarch

$ rpm -ev testrpm
Preparing packages...
testrpm-1.1-1.f19g.noarch

[root@imhotep ~]# yum -y install testrpm
...
--> Running transaction check
---> Package testrpm.noarch 0:1.1-1.f19g will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package            Arch              Version               Repository     Size
================================================================================
Installing:
 testrpm            noarch            1.1-1.f19g            test          1.9 k

Transaction Summary
================================================================================
Install  1 Package

Total size: 1.9 k
Installed size: 0  
Downloading packages:


Package testrpm-1.1-1.f19g.noarch.rpm is not signed


Actual results:
yum-cron install unsigned packages.

Expected results:
yum-cron should not install unsigned packages.

Additional info:

--- Additional comment from Zdeněk Pavlas on 2014-01-14 09:44:52 EST ---

Confirmed, thanks for the report. Looks like an easy fix.

http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=9df69e579496ccb6df5c3f5b5b7bab8d648b06b4