Bugzilla – Bug 906803
VUL-1: CVE-2013-6435: rpm: Skipping rpm verification race
Last modified: 2015-04-09 12:21:51 UTC
CRD: 2014-12-02, no CVE right now Description of the issue: RPM writes file contents to the target installation directory under a temporary name, and verifies its cryptographic signature only after the temporary file has been written completely. Under certain conditions, the system interprets the unverified temporary file contents and extracts commands from it. This could allow an attacker to modify signed RPM files in such a way that they execute code chosen by the attacker during package installation. Details: When a system administrator attempts to install the attached RPM file (either with "rpm -i" or "yum install"), there is a non-zero probability that the file "/tmp/exploited" is created because the system executes code which did not pass signature verification. This exploits works by creating a large file in /etc/cron.d, which is then parsed by crond while it is still being written by rpm (with some probability, i.e., there is a race). rpm will eventually remove the file, but if crond has already started reading it, that is too late. Acknowledgements: This issue was discovered by Florian Weimer of the Red Hat Product Security Team.
Created attachment 614700 [details] Patch against rpm 4.11.1
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-12-12. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59965
public
Why would it be reasonable? The blob post is incorrect, there are two signatures: one over the header and one over the header and the payload. (And the repository metadata contains a checksum over the complete file)
SUSE-SU-2014:1697-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (important) Bug References: 892431,906803,908128 CVE References: CVE-2013-6435,CVE-2014-8118 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): rpm-4.4.2.3-37.60.2 SUSE Linux Enterprise Server 11 SP3 for VMware (src): rpm-4.4.2.3-37.60.2 SUSE Linux Enterprise Server 11 SP3 (src): rpm-4.4.2.3-37.60.2 SUSE Linux Enterprise Desktop 11 SP3 (src): rpm-4.4.2.3-37.60.2
openSUSE-SU-2014:1716-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 892431,906803,908128 CVE References: CVE-2013-6435,CVE-2014-8118 Sources used: openSUSE 13.2 (src): python3-rpm-4.11.3-4.2, rpm-4.11.3-4.1, rpm-python-4.11.3-4.2 openSUSE 13.1 (src): python3-rpm-4.11.1-6.9.1, rpm-4.11.1-6.9.1, rpm-python-4.11.1-6.9.1 openSUSE 12.3 (src): python3-rpm-4.10.2-2.4.1, rpm-4.10.2-2.4.1, rpm-python-4.10.2-2.4.1
Could this be the culprit of the broken installer (11-SP4)? Please see bsc#911228.
As nobody knows why the installation fails I can't tell.
SUSE-SU-2015:0107-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 892431,906803,908128,911228 CVE References: CVE-2013-6435,CVE-2014-8118 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): rpm-4.11.2-10.1 SUSE Linux Enterprise Server 12 (src): rpm-4.11.2-10.1, rpm-python-4.11.2-10.1 SUSE Linux Enterprise Desktop 12 (src): rpm-4.11.2-10.1, rpm-python-4.11.2-10.1
all updates released