libdnf does its own signature verification, but this can be tricked by placing a signature in the main header. This is exploitable if (and only if) RPM's package verification level is set to "digest" or "none".
Acknowledgments: Name: Demi M. Obenour
Mitigation: A mitigation for this flaw is to set %_pkgverify_level all` or `%_pkgverify_level signature` in `/etc/rpm/macros`.
Statement: The exploitation of this flaw requires RPM's package verification level to be set to "digest" or "none". In addition, to exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM. It is strongly recommended to only use RPMs from trusted repositories.
Created libdnf tracking bugs for this issue: Affects: fedora-all [bug 1940116]
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4464 https://access.redhat.com/errata/RHSA-2021:4464
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days