Bug 1927747 (CVE-2021-3421) - CVE-2021-3421 rpm: unsigned signature header leads to string injection into an rpm database
Summary: CVE-2021-3421 rpm: unsigned signature header leads to string injection into a...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3421
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1929452 1929453 1933867 1938024 1938025 1958475 1958476
Blocks: 1912449 1934801
TreeView+ depends on / blocked
 
Reported: 2021-02-11 13:14 UTC by msiddiqu
Modified: 2022-04-17 21:08 UTC (History)
15 users (show)

Fixed In Version: rpm 4.17.0-alpha
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity.
Clone Of:
Environment:
Last Closed: 2021-09-09 00:21:09 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1933867 1 medium CLOSED CVE-2021-3421 rpm: unsigned signature header leads to string injection into an rpm database [fedora-33] 2021-11-30 18:23:12 UTC

Description msiddiqu 2021-02-11 13:14:34 UTC
The signature header is not signed, but some data is extracted from it and incorporated into the RPM database.  It may be possible to insert an erroneous and/or malicious OpenPGP signature into a signed package this way. It is possible to inject strings into the RPM database that the owner of the database would not wish it to contain.

Comment 1 msiddiqu 2021-02-11 13:14:37 UTC
Acknowledgments:

Name: Demi M. Obenour

Comment 7 Todd Cullum 2021-03-02 18:05:12 UTC
Created rpm tracking bugs for this issue:

Affects: fedora-all [bug 1933867]

Comment 11 Todd Cullum 2021-03-05 23:43:46 UTC
Flaw summary:

rpmReadPackageFile() is used to read RPM file headers. Internally, it calls headerMergeLegacySigs() which copies signature tags from the signature header to the main RPM metadata header (especially, legacy signatures). The logic in headerMergeLegacySigs() allows for copying of unknown tags from the signature header into the RPM header. Thus, it's possible to supply an RPM file with an unknown tag in the signature header, that gets copied into the RPM metadata header and subsequently placed into the RPM database as a corrupt header tag if the package is installed. This occurs even with the %_pkgverify_level macro set to `all`.

Installing such a package causes the header to be inaccessible within the rpm database and could lead to data integrity issues such as corrupt header and bad tag errors when rpm reads the database, installed packages not actually being retrievable (shown as not installed), seemingly missing dependencies that are actually installed, etc...

This flaw does not cause data loss or permanent damage to the database, which can be repaired using the `rpmdb --rebuilddb` or `rpm --rebuilddb` commands.

Additionally, it requires running rpm against a malicious or malformed package which should never be in the official supported package repositories - so a Man-in-the-middle or attempting to install an unsupported or modified package would be required to trigger this.

Comment 12 Todd Cullum 2021-03-05 23:46:14 UTC
Statement:

To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM.  It is strongly recommended to only use RPMs from trusted repositories.

Comment 13 Todd Cullum 2021-03-11 23:07:55 UTC
Created rpm tracking bugs for this issue:

Affects: fedora-32 [bug 1938024]
Affects: fedora-rawhide [bug 1938025]

Comment 15 Fedora Update System 2021-03-30 00:15:42 UTC
FEDORA-2021-2383d950fd has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 16 Fedora Update System 2021-04-07 15:25:41 UTC
FEDORA-2021-662680e477 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 26 Product Security DevOps Team 2021-09-09 00:21:09 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3421


Note You need to log in before you can comment on or make changes to this bug.