Bug 1052994 - CVE-2014-0022 yum: yum-cron installs unsigned packages [rhel-7.0]
CVE-2014-0022 yum: yum-cron installs unsigned packages [rhel-7.0]
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: yum (Show other bugs)
noarch Linux
high Severity high
: rc
: ---
Assigned To: Valentina Mukhamedzhanova
Karel Srot
: Security, SecurityTracking
Depends On:
Blocks: CVE-2014-0022
  Show dependency treegraph
Reported: 2014-01-14 09:46 EST by Zdeněk Pavlas
Modified: 2014-07-31 03:08 EDT (History)
11 users (show)

See Also:
Fixed In Version: yum-3.4.3-110.el7
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 1052440
Last Closed: 2014-07-31 03:08:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Zdeněk Pavlas 2014-01-14 09:46:30 EST
+++ This bug was initially created as a clone of Bug #1052440 +++

Description of problem:
yum-cron install unsigned packages. This is not acceptable!

Version-Release number of selected component (if applicable):

Steps to Reproduce:
$ rpmbuild -ba testrpm.spec 
Wrote: /home/someuser/work/rpm/SRPMS/testrpm-1.0-1.f19g.src.rpm
Wrote: /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
+ exit 0

$ rpmsign --addsign /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
Enter pass phrase: 
Pass phrase is good.

$ yum -y install /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
$ rpm -q testrpm

$ rpmbuild -ba testrpm.spec 
Wrote: /home/someuser/work/rpm/SRPMS/testrpm-1.1-1.f19g.src.rpm
Wrote: /home/someuser/work/rpm/RPMS/noarch/testrpm-1.1-1.f19g.noarch.rpm
+ exit 0

$ mkdir ~/testrepo
$ cd ~testrepo
$ cp /home/someuser/work/rpm/RPMS/noarch/testrpm-1.1-1.f19g.noarch.rpm .
$ createrepo .

$ grep gpgcheck=0 /etc/yum.conf /etc/yum.repos.d/*
$ cat 

Wait for yum-cron to run via crontab. The email received from cron daemon look like this:

From: Cron Daemon <root@xxxx>
To: root@xxxx
Subject: Cron <root@xxxx> run-parts /etc/cron.hourly


Loaded plugins: fastestmirror, post-transaction-actions, priorities,
              : protectbase, remove-with-leaves, rpm-warm-cache, versionlock
Loading mirror speeds from cached hostfile
0 packages excluded due to repository protections
Package testrpm-1.1-1.f19g.noarch.rpm is not signed

$ rpm -q testrpm

$ rpm -ev testrpm
Preparing packages...

[root@imhotep ~]# yum -y install testrpm
--> Running transaction check
---> Package testrpm.noarch 0:1.1-1.f19g will be installed
--> Finished Dependency Resolution

Dependencies Resolved

 Package            Arch              Version               Repository     Size
 testrpm            noarch            1.1-1.f19g            test          1.9 k

Transaction Summary
Install  1 Package

Total size: 1.9 k
Installed size: 0  
Downloading packages:

Package testrpm-1.1-1.f19g.noarch.rpm is not signed

Actual results:
yum-cron install unsigned packages.

Expected results:
yum-cron should not install unsigned packages.

Additional info:

--- Additional comment from Zdeněk Pavlas on 2014-01-14 09:44:52 EST ---

Confirmed, thanks for the report. Looks like an easy fix.


Note You need to log in before you can comment on or make changes to this bug.