Bug 1934125 (CVE-2021-20271)

Summary: CVE-2021-20271 rpm: Signature checks bypass via corrupted rpm package
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dchong, ffesti, igor.raits, jberan, kaycoth, mdomonko, mjw, packaging-team-maint, pasteur, pmatilai, pmoravco, security-response-team, sgrubb, tcullum, timo.henriksson, vmugicag, vmukhame
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-29 22:40:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1935920, 1935921, 1938027, 1958475, 1958476, 1958477, 2004226, 2004227, 2004228    
Bug Blocks: 1912449, 1935968, 1938098, 1938100    

Description Pedro Sampaio 2021-03-02 14:55:30 UTC 
A flaw was found in rpm. Given an RPM package signed by a trusted key, it is possible to modify it such that it still passes signature checks, but installing it corrupts the rpmdb.
Comment 5 Todd Cullum 2021-03-05 19:26:17 UTC 
Flaw summary:

rpmReadPackageFile() is used to read RPM file headers. Internally, it calls headerMergeLegacySigs() which copies signature tags from the signature header to the main RPM metadata header (especially, legacy signatures). The logic in headerMergeLegacySigs() allows for copying of unknown tags from the signature header into the RPM header. It also does not check that correct tag type and size meet expectations. Thus, it's possible to supply an RPM file with a tag type error in the signature header, that gets copied into the RPM metadata header and subsequently placed into the RPM database as a corrupt header tag if the package is installed.

This causes the header to be inaccessible within the rpm database and could lead to data integrity issues such as corrupt header and bad tag errors when rpm reads the database, installed packages not actually being retrievable (shown as not installed), seemingly missing dependencies that are actually installed, etc...

This flaw does not cause data loss or permanent damage to the database, which can be repaired using the `rpmdb --rebuilddb` command, followed by installing the non-corrupted package.

Additionally, it requires running rpm against a malicious or malformed package which should never be in the official supported package repositories - so a Man-in-the-middle attack or attempting to install an unsupported or modified package would be required to trigger this.
Comment 7 Todd Cullum 2021-03-05 19:58:35 UTC 
Acknowledgments:

Name: Demi M. Obenour
Comment 14 Todd Cullum 2021-03-11 23:10:00 UTC 
Created rpm tracking bugs for this issue:

Affects: fedora-all [bug 1938027]
Comment 15 Todd Cullum 2021-03-17 15:46:25 UTC 
Statement:

To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM.  It is strongly recommended to only use RPMs from trusted repositories.
Comment 16 Todd Cullum 2021-03-19 20:26:43 UTC 
Upstream patch: https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21
Comment 17 Fedora Update System 2021-03-30 00:15:45 UTC 
FEDORA-2021-2383d950fd has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 18 Fedora Update System 2021-03-30 01:10:19 UTC 
FEDORA-2021-8d52a8a999 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 19 Fedora Update System 2021-04-07 15:25:44 UTC 
FEDORA-2021-662680e477 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 24 errata-xmlrpc 2021-06-29 16:30:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2574 https://access.redhat.com/errata/RHSA-2021:2574
Comment 25 Product Security DevOps Team 2021-06-29 22:40:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20271
Comment 26 errata-xmlrpc 2021-07-20 22:10:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2791 https://access.redhat.com/errata/RHSA-2021:2791
Comment 29 errata-xmlrpc 2021-11-23 12:46:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2021:4771 https://access.redhat.com/errata/RHSA-2021:4771
Comment 30 errata-xmlrpc 2021-11-23 17:15:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:4785 https://access.redhat.com/errata/RHSA-2021:4785
Comment 31 errata-xmlrpc 2021-12-07 12:15:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2021:4975 https://access.redhat.com/errata/RHSA-2021:4975