Bug 983911 - redhat-support-tool: lack of package verification
redhat-support-tool: lack of package verification
Status: CLOSED CANTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: redhat-support-tool (Show other bugs)
7.0
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Keith Robertson
:
Depends On:
Blocks: 982704
  Show dependency treegraph
 
Reported: 2013-07-12 05:02 EDT by Florian Weimer
Modified: 2016-07-03 21:34 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-05 15:08:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Florian Weimer 2013-07-12 05:02:33 EDT
src/redhat_support_tool/helpers/yumdownloadhelper.py does not verify repository or package integrity.  As a result, there is a potential shell command injection in the package name (see bug 983909), but as we have transport layer protection for the default repositories, this does not seem particularly significant.

Perhaps the -debuginfo package can be installed using debuginfo-install instead (but see bug 676193).

Note You need to log in before you can comment on or make changes to this bug.