Bug 1052994 - CVE-2014-0022 yum: yum-cron installs unsigned packages [rhel-7.0]
CVE-2014-0022 yum: yum-cron installs unsigned packages [rhel-7.0]
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: yum (Show other bugs)
7.0
noarch Linux
high Severity high
: rc
: ---
Assigned To: Valentina Mukhamedzhanova
Karel Srot
: Security, SecurityTracking
Depends On:
Blocks: CVE-2014-0022
  Show dependency treegraph
 
Reported: 2014-01-14 09:46 EST by Zdeněk Pavlas
Modified: 2014-07-31 03:08 EDT (History)
11 users (show)

See Also:
Fixed In Version: yum-3.4.3-110.el7
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 1052440
Environment:
Last Closed: 2014-07-31 03:08:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Zdeněk Pavlas 2014-01-14 09:46:30 EST
+++ This bug was initially created as a clone of Bug #1052440 +++

Description of problem:
yum-cron install unsigned packages. This is not acceptable!

Version-Release number of selected component (if applicable):
yum-cron-3.4.3-128.fc19.noarch

Steps to Reproduce:
$ rpmbuild -ba testrpm.spec 
...
Wrote: /home/someuser/work/rpm/SRPMS/testrpm-1.0-1.f19g.src.rpm
Wrote: /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
...
+ exit 0

$ rpmsign --addsign /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
Enter pass phrase: 
Pass phrase is good.
/home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm:

$ yum -y install /home/someuser/work/rpm/RPMS/noarch/testrpm-1.0-1.f19g.noarch.rpm
...
$ rpm -q testrpm
testrpm-1.0-1.f19g.noarch

$ rpmbuild -ba testrpm.spec 
...
Wrote: /home/someuser/work/rpm/SRPMS/testrpm-1.1-1.f19g.src.rpm
Wrote: /home/someuser/work/rpm/RPMS/noarch/testrpm-1.1-1.f19g.noarch.rpm
...
+ exit 0

$ mkdir ~/testrepo
$ cd ~testrepo
$ cp /home/someuser/work/rpm/RPMS/noarch/testrpm-1.1-1.f19g.noarch.rpm .
$ createrepo .
...

$ grep gpgcheck=0 /etc/yum.conf /etc/yum.repos.d/*
$ cat 
[test]
name=test
baseurl=file:///home/someuser/testrepo
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-test
gpgcheck=1
enabled=1

Wait for yum-cron to run via crontab. The email received from cron daemon look like this:

From: Cron Daemon <root@xxxx>
To: root@xxxx
Subject: Cron <root@xxxx> run-parts /etc/cron.hourly

/etc/cron.hourly/0yum-hourly.cron:

Loaded plugins: fastestmirror, post-transaction-actions, priorities,
              : protectbase, remove-with-leaves, rpm-warm-cache, versionlock
Loading mirror speeds from cached hostfile
...
0 packages excluded due to repository protections
Package testrpm-1.1-1.f19g.noarch.rpm is not signed

$ rpm -q testrpm
testrpm-1.1-1.f19g.noarch

$ rpm -ev testrpm
Preparing packages...
testrpm-1.1-1.f19g.noarch

[root@imhotep ~]# yum -y install testrpm
...
--> Running transaction check
---> Package testrpm.noarch 0:1.1-1.f19g will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package            Arch              Version               Repository     Size
================================================================================
Installing:
 testrpm            noarch            1.1-1.f19g            test          1.9 k

Transaction Summary
================================================================================
Install  1 Package

Total size: 1.9 k
Installed size: 0  
Downloading packages:


Package testrpm-1.1-1.f19g.noarch.rpm is not signed


Actual results:
yum-cron install unsigned packages.

Expected results:
yum-cron should not install unsigned packages.

Additional info:

--- Additional comment from Zdeněk Pavlas on 2014-01-14 09:44:52 EST ---

Confirmed, thanks for the report. Looks like an easy fix.

http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=9df69e579496ccb6df5c3f5b5b7bab8d648b06b4

Note You need to log in before you can comment on or make changes to this bug.