Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 778533 (CVE-2021-20271, CVE-2021-3421) - <app-arch/rpm-4.16.1.3: insufficient signature validation
Summary: <app-arch/rpm-4.16.1.3: insufficient signature validation
Status: CONFIRMED
Alias: CVE-2021-20271, CVE-2021-3421
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-27 02:14 UTC by John Helmert III
Modified: 2021-05-03 17:55 UTC (History)
1 user (show)

See Also:
Package list:
app-arch/rpm-4.16.1.3 *
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-03-27 02:14:20 UTC
CVE-2021-20271:

A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.

Patch: https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21

Note that the patch says it fixes CVE-2021-3421 too, and that doesn't appear
to be public.


Please apply the patch, if suitable.
Comment 1 Conrad Kostecki gentoo-dev 2021-03-27 14:21:00 UTC
Release rpm-4.16.1.3 should include those patches.
Comment 2 Larry the Git Cow gentoo-dev 2021-04-13 19:17:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=46e2330f712a1c60bed71abc25eea1f4f499f150

commit 46e2330f712a1c60bed71abc25eea1f4f499f150
Author:     Tony Vroon <chainsaw@gentoo.org>
AuthorDate: 2021-04-13 19:16:21 +0000
Commit:     Tony Vroon <chainsaw@gentoo.org>
CommitDate: 2021-04-13 19:17:12 +0000

    app-arch/rpm: Version bump to 4.16.1.3
    
    Switch to new crypto provider libgcrypt, as NSS is deprecated. As flagged
    up by Sam James in bug #780684. This has potential to address some test
    suite failures, but even with -usersandbox I still drown in a sea of:
    mktemp: failed to create file via template
    '/var/tmp/portage/app-arch/rpm-4.16.1.3/temp/rpmXXXXXX':
    No such file or directory
    
    Addresses CVE-2021-20271, a security vulnerability in the signature check
    functionality. Also addresses undisclosed vulnerability CVE-2021-3421.
    As flagged up by John "ajak" Helmert III in bug #778533
    
    Bug: https://bugs.gentoo.org/778533
    Closes: https://bugs.gentoo.org/780684
    Signed-Off-By: Tony Vroon <chainsaw@gentoo.org>
    Package-Manager: Portage-3.0.17, Repoman-3.0.2

 app-arch/rpm/Manifest                        |   1 +
 app-arch/rpm/files/rpm-4.16.1.3-libdir.patch |  34 ++++++
 app-arch/rpm/rpm-4.16.1.3.ebuild             | 148 +++++++++++++++++++++++++++
 3 files changed, 183 insertions(+)