Bug 1052994

Summary: CVE-2014-0022 yum: yum-cron installs unsigned packages [rhel-7.0]
Product: Red Hat Enterprise Linux 7 Reporter: Zdeněk Pavlas <zpavlas>
Component: yumAssignee: Valentina Mukhamedzhanova <vmukhame>
Status: CLOSED CURRENTRELEASE QA Contact: Karel Srot <ksrot>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: admiller, extras-orphan, ffesti, firas.alkafri, james.antill, jzeleny, packaging-team-maint, rhel, riehecky, rvokal, vmukhame
Target Milestone: rcKeywords: Security, SecurityTracking
Target Release: ---   
Hardware: noarch   
OS: Linux   
Fixed In Version: yum-3.4.3-110.el7 Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 1052440 Environment:
Last Closed: 2014-07-31 07:08:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1057377    

Description Zdeněk Pavlas 2014-01-14 14:46:30 UTC
+++ This bug was initially created as a clone of Bug #1052440 +++

Description of problem:
yum-cron install unsigned packages. This is not acceptable!

Version-Release number of selected component (if applicable):

Steps to Reproduce:
$ rpmbuild -ba testrpm.spec 
Wrote: /home/someuser/work/rpm/SRPMS/testrpm-1.0-1.f19g.src.rpm
Wrote: /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
+ exit 0

$ rpmsign --addsign /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
Enter pass phrase: 
Pass phrase is good.

$ yum -y install /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
$ rpm -q testrpm

$ rpmbuild -ba testrpm.spec 
Wrote: /home/someuser/work/rpm/SRPMS/testrpm-1.1-1.f19g.src.rpm
Wrote: /home/someuser/work/rpm/RPMS/noarch/testrpm-1.1-1.f19g.noarch.rpm
+ exit 0

$ mkdir ~/testrepo
$ cd ~testrepo
$ cp /home/someuser/work/rpm/RPMS/noarch/testrpm-1.1-1.f19g.noarch.rpm .
$ createrepo .

$ grep gpgcheck=0 /etc/yum.conf /etc/yum.repos.d/*
$ cat 

Wait for yum-cron to run via crontab. The email received from cron daemon look like this:

From: Cron Daemon <root@xxxx>
To: root@xxxx
Subject: Cron <root@xxxx> run-parts /etc/cron.hourly


Loaded plugins: fastestmirror, post-transaction-actions, priorities,
              : protectbase, remove-with-leaves, rpm-warm-cache, versionlock
Loading mirror speeds from cached hostfile
0 packages excluded due to repository protections
Package testrpm-1.1-1.f19g.noarch.rpm is not signed

$ rpm -q testrpm

$ rpm -ev testrpm
Preparing packages...

[root@imhotep ~]# yum -y install testrpm
--> Running transaction check
---> Package testrpm.noarch 0:1.1-1.f19g will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package            Arch              Version               Repository     Size
 testrpm            noarch            1.1-1.f19g            test          1.9 k

Transaction Summary
Install  1 Package

Total size: 1.9 k
Installed size: 0  
Downloading packages:

Package testrpm-1.1-1.f19g.noarch.rpm is not signed

Actual results:
yum-cron install unsigned packages.

Expected results:
yum-cron should not install unsigned packages.

Additional info:

--- Additional comment from Zdeněk Pavlas on 2014-01-14 09:44:52 EST ---

Confirmed, thanks for the report. Looks like an easy fix.