It was discovered that yum-updatesd did not properly perform RPM package signature checks. When yum-updatesd was configured to automatically install updates, a remote attacker could use this flaw to install a malicious update on the target system using an unsigned RPM or an RPM signed with an untrusted key.
Gabriel VLASIU reported [1] that yum-cron would install unsigned RPM packages that yum itself would refuse to install. The yum-cron code is based on that in yum-updatesd.py. This is due to the installUpdates() function (processPkgs() in yum-updatesd.py) failing to fully check the return code of the called sigCheckPkg() function. sigCheckPkg() is described thus:
def sigCheckPkg(self, po):
"""Verify the GPG signature of the given package object.
:param po: the package object to verify the signature of
:return: (result, error_string)
where result is::
0 = GPG signature verifies ok or verification is not required.
1 = GPG verification failed but installation of the right GPG key
might help.
2 = Fatal GPG verification error, give up.
"""
However, the processPkgs() and installUpdates() calling function do not account for return code 2:
def processPkgs(self, dlpkgs):
...
for po in dlpkgs:
result, err = self.updd.sigCheckPkg(po)
if result == 0:
continue
elif result == 1:
try:
self.updd.getKeyForPackage(po)
except yum.Errors.YumBaseError, errmsg:
self.failed([str(errmsg)])
and:
def installUpdates(self, emit):
...
for po in dlpkgs:
result, err = self.sigCheckPkg(po)
if result == 0:
continue
elif result == 1:
try:
self.getKeyForPackage(po)
except yum.Errors.YumBaseError, errmsg:
self.emitUpdateFailed(errmsg)
return False
yum-cron.py replaced yum-cron.sh in Fedora 19 (3.4.3-47); earlier versions of Fedora use yum-updatesd.
This has been corrected upstream [2] and in Fedora via yum-3.4.3-132.fc19 and yum-3.4.3-130.fc20.
This does not affect Red Hat Enterprise Linux 6 as it used neither yum-updatesd nor yum-cron; it used a shellscript that called yum itself to do updates.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1052440
[2] http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=9df69e579496ccb6df5c3f5b5b7bab8d648b06b4
The comment 0 above explains that Red Hat Enterprise Linux 6 was not affected, as it did not include vulnerable version of yum-updatesd or yum-cron. This issue was resolved in yum-cron shipped as part of Red Hat Enterprise Linux 7 before its initial release.
Statement:
This issue did not affect the versions of yum as shipped with Red Hat Enterprise Linux 6 and 7.
It should also be noted that in their default configuration, yum-updatesd and yum-cron are not configured to automatically install available updates. They are configured to provide notification of updates availability. yum-cron is also configured to download updated packages, but not install them.
IssueDescription:
It was discovered that yum-updatesd did not properly perform RPM package signature checks. When yum-updatesd was configured to automatically install updates, a remote attacker could use this flaw to install a malicious update on the target system using an unsigned RPM or an RPM signed with an untrusted key.
Gabriel VLASIU reported [1] that yum-cron would install unsigned RPM packages that yum itself would refuse to install. The yum-cron code is based on that in yum-updatesd.py. This is due to the installUpdates() function (processPkgs() in yum-updatesd.py) failing to fully check the return code of the called sigCheckPkg() function. sigCheckPkg() is described thus: def sigCheckPkg(self, po): """Verify the GPG signature of the given package object. :param po: the package object to verify the signature of :return: (result, error_string) where result is:: 0 = GPG signature verifies ok or verification is not required. 1 = GPG verification failed but installation of the right GPG key might help. 2 = Fatal GPG verification error, give up. """ However, the processPkgs() and installUpdates() calling function do not account for return code 2: def processPkgs(self, dlpkgs): ... for po in dlpkgs: result, err = self.updd.sigCheckPkg(po) if result == 0: continue elif result == 1: try: self.updd.getKeyForPackage(po) except yum.Errors.YumBaseError, errmsg: self.failed([str(errmsg)]) and: def installUpdates(self, emit): ... for po in dlpkgs: result, err = self.sigCheckPkg(po) if result == 0: continue elif result == 1: try: self.getKeyForPackage(po) except yum.Errors.YumBaseError, errmsg: self.emitUpdateFailed(errmsg) return False yum-cron.py replaced yum-cron.sh in Fedora 19 (3.4.3-47); earlier versions of Fedora use yum-updatesd. This has been corrected upstream [2] and in Fedora via yum-3.4.3-132.fc19 and yum-3.4.3-130.fc20. This does not affect Red Hat Enterprise Linux 6 as it used neither yum-updatesd nor yum-cron; it used a shellscript that called yum itself to do updates. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1052440 [2] http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=9df69e579496ccb6df5c3f5b5b7bab8d648b06b4