Bug 1057377 (CVE-2014-0022)

Summary: CVE-2014-0022 yum: yum-cron installs unsigned packages
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: admiller, aneelica, ffesti, james.antill, jkurik, jrusnack, jzeleny, packaging-team-maint, pfrields, vkrizan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20140113,reported=20140114,source=researcher,cvss2=7.6/AV:N/AC:H/Au:N/C:C/I:C/A:C,rhel-5/yum-updatesd=affected,rhel-6/yum=notaffected,rhel-7/yum=notaffected,fedora-all/yum=affected,cwe=CWE-252->CWE-347
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that yum-updatesd did not properly perform RPM package signature checks. When yum-updatesd was configured to automatically install updates, a remote attacker could use this flaw to install a malicious update on the target system using an unsigned RPM or an RPM signed with an untrusted key.
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-04 23:51:01 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 1052440, 1052994, 1053202, 1125185    
Bug Blocks: 1057378    

Description Vincent Danen 2014-01-23 18:16:21 EST
Gabriel VLASIU reported [1] that yum-cron would install unsigned RPM packages that yum itself would refuse to install.  The yum-cron code is based on that in yum-updatesd.py.  This is due to  the installUpdates() function (processPkgs() in yum-updatesd.py) failing to fully check the return code of the called sigCheckPkg() function.  sigCheckPkg() is described thus:

    def sigCheckPkg(self, po):
        """Verify the GPG signature of the given package object.

        :param po: the package object to verify the signature of
        :return: (result, error_string)
           where result is::

              0 = GPG signature verifies ok or verification is not required.
              1 = GPG verification failed but installation of the right GPG key
                    might help.
              2 = Fatal GPG verification error, give up.
        """

However, the processPkgs() and installUpdates() calling function do not account for return code 2:

    def processPkgs(self, dlpkgs):
...
        for po in dlpkgs:
            result, err = self.updd.sigCheckPkg(po)
            if result == 0:
                continue
            elif result == 1:
                try:
                    self.updd.getKeyForPackage(po)
                except yum.Errors.YumBaseError, errmsg:
                    self.failed([str(errmsg)])

and:

    def installUpdates(self, emit):
...
        for po in dlpkgs:
            result, err = self.sigCheckPkg(po)
            if result == 0:
                continue
            elif result == 1:
                try:
                    self.getKeyForPackage(po)
                except yum.Errors.YumBaseError, errmsg:
                    self.emitUpdateFailed(errmsg)
                    return False

yum-cron.py replaced yum-cron.sh in Fedora 19 (3.4.3-47); earlier versions of Fedora use yum-updatesd.

This has been corrected upstream [2] and in Fedora via yum-3.4.3-132.fc19 and yum-3.4.3-130.fc20.

This does not affect Red Hat Enterprise Linux 6 as it used neither yum-updatesd nor yum-cron; it used a shellscript that called yum itself to do updates.


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1052440
[2] http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=9df69e579496ccb6df5c3f5b5b7bab8d648b06b4
Comment 2 Tomas Hoger 2014-07-31 05:15:01 EDT
The comment 0 above explains that Red Hat Enterprise Linux 6 was not affected, as it did not include vulnerable version of yum-updatesd or yum-cron.  This issue was resolved in yum-cron shipped as part of Red Hat Enterprise Linux 7 before its initial release.

Statement:

This issue did not affect the versions of yum as shipped with Red Hat Enterprise Linux 6 and 7.
Comment 3 Tomas Hoger 2014-07-31 05:20:11 EDT
It should also be noted that in their default configuration, yum-updatesd and yum-cron are not configured to automatically install available updates.  They are configured to provide notification of updates availability.  yum-cron is also configured to download updated packages, but not install them.
Comment 8 errata-xmlrpc 2014-08-04 23:34:46 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:1004 https://rhn.redhat.com/errata/RHSA-2014-1004.html
Comment 9 Martin Prpic 2014-08-05 03:30:58 EDT
IssueDescription:

It was discovered that yum-updatesd did not properly perform RPM package signature checks. When yum-updatesd was configured to automatically install updates, a remote attacker could use this flaw to install a malicious update on the target system using an unsigned RPM or an RPM signed with an untrusted key.