1932079 – (CVE-2021-3445) CVE-2021-3445 libdnf: Signature verification bypass via signature placed in the main RPM header

Bug 1932079 (CVE-2021-3445) - CVE-2021-3445 libdnf: Signature verification bypass via signature placed in the main RPM header

Summary: CVE-2021-3445 libdnf: Signature verification bypass via signature placed in t...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-3445
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1932089 1932090 1940116
Blocks:	1912449 1939506
TreeView+	depends on / blocked

Reported:	2021-02-23 20:53 UTC by Todd Cullum
Modified:	2023-09-15 01:01 UTC (History)
CC List:	13 users (show)
Fixed In Version:	libdnf 0.60.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in libdnf's signature verification functionality. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed:	2021-11-02 23:09:39 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:4464	0	None	None	None	2021-11-09 18:53:17 UTC

Description Todd Cullum 2021-02-23 20:53:18 UTC

libdnf does its own signature verification, but this can be
tricked by placing a signature in the main header. This is exploitable if
(and only if) RPM's package verification level is set to "digest" or "none".

Comment 1 Todd Cullum 2021-02-23 20:53:20 UTC

Acknowledgments:

Name: Demi M. Obenour

Comment 10 Todd Cullum 2021-03-04 19:52:59 UTC

Mitigation:

A mitigation for this flaw is to set %_pkgverify_level all` or `%_pkgverify_level signature` in `/etc/rpm/macros`.

Comment 15 RaTasha Tillery-Smith 2021-03-16 17:18:36 UTC

Statement:

The exploitation of this flaw requires RPM's package verification level to be set to "digest" or "none". In addition, to exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM.  It is strongly recommended to only use RPMs from trusted repositories.

Comment 16 Todd Cullum 2021-03-17 15:53:56 UTC

Created libdnf tracking bugs for this issue:

Affects: fedora-all [bug 1940116]

Comment 19 errata-xmlrpc 2021-11-09 18:53:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4464 https://access.redhat.com/errata/RHSA-2021:4464

Comment 20 Red Hat Bugzilla 2023-09-15 01:01:59 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.