1422157 – (CVE-2017-2623) CVE-2017-2623 rpm-ostree, rpm-ostree-client: fails to check gpg package signatures when layering

Bug 1422157 (CVE-2017-2623) - CVE-2017-2623 rpm-ostree, rpm-ostree-client: fails to check gpg package signatures when layering

Summary: CVE-2017-2623 rpm-ostree, rpm-ostree-client: fails to check gpg package signa...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-2623
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1416089 1433392
Blocks:	1422170
TreeView+	depends on / blocked

Reported:	2017-02-14 15:45 UTC by Martin Prpič
Modified:	2021-02-17 02:35 UTC (History)
CC List:	6 users (show)
Fixed In Version:	rpm-ostree 2017.3
Doc Type:	Bug Fix
Doc Text:	It was discovered that rpm-ostree and rpm-ostree-client fail to properly check GPG signatures on packages when doing layering. Packages with unsigned or badly signed content could fail to be rejected as expected. This issue is partially mitigated on RHEL Atomic Host, where certificate pinning is used by default.
Clone Of:
Environment:
Last Closed:	2017-03-06 04:34:44 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:0444	0	normal	SHIPPED_LIVE	Moderate: rpm-ostree and rpm-ostree-client security, bug fix, and enhancement update	2017-03-03 22:45:15 UTC

Description Martin Prpič 2017-02-14 15:45:57 UTC

It was found that rpm-ostree was not checking GPG signatures on packages when doing layering.

Note that for RHEL Atomic Host, this issue is of lower impact due to existing "certificate pinning" that is enabled by default. While it does not provide the same type of safety measures as GPG, it is a strong, standard baseline security practice against many threat scenarios.

Comment 1 Martin Prpič 2017-02-14 15:46:00 UTC

Acknowledgments:

Name: Colin Walters (Red Hat)

Comment 2 errata-xmlrpc 2017-03-02 22:39:48 UTC

This issue has been addressed in the following products:

  RHAH for RHEL 7

Via RHSA-2017:0444 https://access.redhat.com/errata/RHSA-2017:0444

Comment 3 Trevor Jay 2017-03-03 16:12:00 UTC

Mitigation:

This issue is partially mitigated on RHEL Atomic Host, where default certificate pinning ensures provenance.

Comment 4 Trevor Jay 2017-03-03 18:19:26 UTC

Corrected push is now out.

_Trevor

Comment 5 Carl Song 2017-04-04 15:36:48 UTC

The CVE page at https://access.redhat.com/security/cve/CVE-2017-2623 implies there is still a patch pending for base RHEL 7. The Doc Text on this bug page also implies the issue is not limited to RHAH. Will there be a fix for base RHEL 7?

Comment 7 Andrej Nemec 2017-05-12 06:58:26 UTC

(In reply to Carl Song from comment #5)
> The CVE page at https://access.redhat.com/security/cve/CVE-2017-2623 implies
> there is still a patch pending for base RHEL 7. The Doc Text on this bug
> page also implies the issue is not limited to RHAH. Will there be a fix for
> base RHEL 7?

This issue is related only to the RHAH. It is now reflected on the CVE page as well.

Note You need to log in before you can comment on or make changes to this bug.