Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 778533 (CVE-2021-20271, CVE-2021-3421) - <app-arch/rpm-4.16.1.3: insufficient signature validation
Summary: <app-arch/rpm-4.16.1.3: insufficient signature validation
Status: RESOLVED FIXED
Alias: CVE-2021-20271, CVE-2021-3421
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-27 02:14 UTC by John Helmert III
Modified: 2021-07-26 03:26 UTC (History)
1 user (show)

See Also:
Package list:
app-arch/rpm-4.16.1.3
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-03-27 02:14:20 UTC
CVE-2021-20271:

A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.

Patch: https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21

Note that the patch says it fixes CVE-2021-3421 too, and that doesn't appear
to be public.


Please apply the patch, if suitable.
Comment 1 Conrad Kostecki gentoo-dev 2021-03-27 14:21:00 UTC
Release rpm-4.16.1.3 should include those patches.
Comment 2 Larry the Git Cow gentoo-dev 2021-04-13 19:17:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46e2330f712a1c60bed71abc25eea1f4f499f150

commit 46e2330f712a1c60bed71abc25eea1f4f499f150
Author:     Tony Vroon <chainsaw@gentoo.org>
AuthorDate: 2021-04-13 19:16:21 +0000
Commit:     Tony Vroon <chainsaw@gentoo.org>
CommitDate: 2021-04-13 19:17:12 +0000

    app-arch/rpm: Version bump to 4.16.1.3
    
    Switch to new crypto provider libgcrypt, as NSS is deprecated. As flagged
    up by Sam James in bug #780684. This has potential to address some test
    suite failures, but even with -usersandbox I still drown in a sea of:
    mktemp: failed to create file via template
    '/var/tmp/portage/app-arch/rpm-4.16.1.3/temp/rpmXXXXXX':
    No such file or directory
    
    Addresses CVE-2021-20271, a security vulnerability in the signature check
    functionality. Also addresses undisclosed vulnerability CVE-2021-3421.
    As flagged up by John "ajak" Helmert III in bug #778533
    
    Bug: https://bugs.gentoo.org/778533
    Closes: https://bugs.gentoo.org/780684
    Signed-Off-By: Tony Vroon <chainsaw@gentoo.org>
    Package-Manager: Portage-3.0.17, Repoman-3.0.2

 app-arch/rpm/Manifest                        |   1 +
 app-arch/rpm/files/rpm-4.16.1.3-libdir.patch |  34 ++++++
 app-arch/rpm/rpm-4.16.1.3.ebuild             | 148 +++++++++++++++++++++++++++
 3 files changed, 183 insertions(+)
Comment 3 Sam James archtester gentoo-dev Security 2021-05-13 12:14:42 UTC
Been a month, let's roll?
Comment 4 Tony Vroon gentoo-dev 2021-05-13 13:48:44 UTC
Let me know if you need anything; this is good to go as far as I'm concerned.
Comment 5 Sam James archtester gentoo-dev Security 2021-05-13 13:50:38 UTC
(In reply to Tony Vroon from comment #4)
> Let me know if you need anything; this is good to go as far as I'm concerned.

Excellent, thank you!
Comment 6 Sam James archtester gentoo-dev Security 2021-05-13 16:24:13 UTC
ppc64 done
Comment 7 Sam James archtester gentoo-dev Security 2021-05-13 16:24:23 UTC
ppc done
Comment 8 Sam James archtester gentoo-dev Security 2021-05-13 21:14:12 UTC
arm64 done
Comment 9 Sam James archtester gentoo-dev Security 2021-05-14 08:55:33 UTC
x86 done
Comment 10 Sam James archtester gentoo-dev Security 2021-05-14 08:55:37 UTC
amd64 done
Comment 11 Sam James archtester gentoo-dev Security 2021-05-15 19:12:33 UTC
arm done

all arches done
Comment 12 Sam James archtester gentoo-dev Security 2021-05-15 19:15:04 UTC
Please cleanup.
Comment 13 John Helmert III gentoo-dev Security 2021-07-16 01:57:41 UTC
GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2021-07-20 04:15:50 UTC
This issue was resolved and addressed in
 GLSA 202107-43 at https://security.gentoo.org/glsa/202107-43
by GLSA coordinator John Helmert III (ajak).
Comment 15 John Helmert III gentoo-dev Security 2021-07-20 04:25:50 UTC
Reopening for cleanup
Comment 16 Larry the Git Cow gentoo-dev 2021-07-26 03:24:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9517266013b80bf8e96445a63cf25e27831eb793

commit 9517266013b80bf8e96445a63cf25e27831eb793
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2021-07-25 21:25:01 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2021-07-26 03:12:57 +0000

    app-arch/rpm: drop 4.14.2.1-r1, 4.16.0
    
    Bug: https://bugs.gentoo.org/778533
    Bug: https://bugs.gentoo.org/787944
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 app-arch/rpm/Manifest                         |   2 -
 app-arch/rpm/files/rpm-4.11.0-autotools.patch |  14 ---
 app-arch/rpm/files/rpm-4.16.0-libdir.patch    |  34 ------
 app-arch/rpm/files/rpm-4.9.1.2-libdir.patch   |  31 ------
 app-arch/rpm/rpm-4.14.2.1-r1.ebuild           | 141 ------------------------
 app-arch/rpm/rpm-4.16.0.ebuild                | 153 --------------------------
 6 files changed, 375 deletions(-)
Comment 17 John Helmert III gentoo-dev Security 2021-07-26 03:26:33 UTC
All done!