Bugzilla – Bug 860255
VUL-0: CVE-2014-0022: yum: yum-cron installs unsigned packages
Last modified: 2014-07-01 14:49:40 UTC
CVE-2014-0022 Gabriel VLASIU reported that yum-cron would install unsigned RPM packages that yum itself would refuse to install. The yum-cron code is based on that in yum-updatesd.py. This is due to the installUpdates() function (processPkgs() in yum-updatesd.py) failing to fully check the return code of the called sigCheckPkg() function. sigCheckPkg() is described thus: See all details inside the RedHat bug [1]. References: [1] https://bugzilla.redhat.com/show_bug.cgi?id=1057377 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0022 https://bugzilla.redhat.com/show_bug.cgi?id=1052440 http://yum.baseurl.org/gitweb?p=yum.git;a=commitdiff;h=9df69e579496ccb6df5c3f5b5b7bab8d648b06b4 http://comments.gmane.org/gmane.comp.security.oss.general/11927
Just a small analysis. Our yum does not have yum-cron.py, but the yum-updatesd.py which is effected. But this file is in the subpackage "yum-updatesd" which is not shipped anywhere. Does it make sense to provide an update we do not need to ship?
This is about yum on SLES11. I don't know if we have yum on openSUSE.
bugbot adjusting priority
Seems we have it on opensuse. If we dont ship the vulnerable code on SLE, its sufficient to fix in Factory there.
we do not ship the python yum-cron in our yum packages.