Upstream yum recently changed the behaviour when checking signatures

on a package. The commit added a new configuration key which only affects local packages, but the key was set by default to False. This meant that an end user could install a local unsigned rpm package using PackageKit without a GPG trust check, and the user would be told the untrusted package is itself trusted. To exploit this low-impact vulnerability, a user would have to manually download an unsigned package file and would still be required to authenticate to install the package. The CVE-ID for this bug is CVE-2011-2515 See https://bugzilla.redhat.com/show_bug.cgi?id=717566 for details. Resolves #718127
2011-07-01 10:11:00 +01:00 · 2011-07-01 10:11:00 +01:00 · 52da7c5f6d
commit 52da7c5f6d
parent 6b2f49afad
2 changed files with 111 additions and 1 deletions
--- a/0001-Fix-CVE-2011-2515-which-affects-the-YUM-backend.patch
+++ b/0001-Fix-CVE-2011-2515-which-affects-the-YUM-backend.patch
@ -0,0 +1,92 @@
+From cd79fcfefc8af165faa9a320bec44ce6d1c5b125 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Fri, 1 Jul 2011 09:20:40 +0100
+Subject: [PATCH] Fix CVE-2011-2515 which affects the YUM backend
+
+In commit 290933489b1aaeb1017d10fb59ccf3231e309115, YUM changed the behaviour
+when checking signatures on a package. The commit added a new configuration key
+'localpkg_gpgcheck' which only affects local packages, but the key was set by
+default to False, unlike 'gpgcheck' which was used for local and remote
+packages before this commit.
+
+This meant that an end user could install a local unsigned rpm package using
+PackageKit without a GPG trust check, and the user would be told the untrusted
+package is itself trusted. This would cause PackageKit to use a different
+(weaker) PolicyKit authentication that what would be required of an unsigned
+package.
+
+To exploit this low-impact vulnerability, a user would have to manually
+download an unsigned package file and would still be required to authenticate
+to install the package unless this has been changed by an administrator.
+
+Now, PackageKit sets internaly 'localpkg_gpgcheck' to match 'gpgcheck' for all
+versions of yum with this new feature to match the expected behaviour.
+
+Red Hat would like to thank Peter Robinson for reporting this issue.
+
+See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2515 for more details.
+
+Fixes https://bugzilla.redhat.com/show_bug.cgi?id=717566
+---
+ backends/yum/yumBackend.py |   16 ++++++++++++++++
+ 1 files changed, 16 insertions(+), 0 deletions(-)
+
+diff --git a/backends/yum/yumBackend.py b/backends/yum/yumBackend.py
+index d66f862..d9a293c 100755
+--- a/backends/yum/yumBackend.py
+++ b/backends/yum/yumBackend.py
+@@ -1732,8 +1732,12 @@ class PackageKitYumBackend(PackageKitBaseBackend, PackagekitPackage):
+         # if only_trusted is true, it means that we will only update signed files
+         if only_trusted:
+             self.yumbase.conf.gpgcheck = 1
+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
+                self.yumbase.conf.localpkg_gpgcheck = 1
+         else:
+             self.yumbase.conf.gpgcheck = 0
+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
+                self.yumbase.conf.localpkg_gpgcheck = 0
+ 
+         self.yumbase.conf.throttle = "60%" # Set bandwidth throttle to 60%
+                                            # to avoid taking all the system's bandwidth.
+@@ -1956,8 +1960,12 @@ class PackageKitYumBackend(PackageKitBaseBackend, PackagekitPackage):
+         # if only_trusted is true, it means that we will only update signed files
+         if only_trusted:
+             self.yumbase.conf.gpgcheck = 1
+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
+                self.yumbase.conf.localpkg_gpgcheck = 1
+         else:
+             self.yumbase.conf.gpgcheck = 0
+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
+                self.yumbase.conf.localpkg_gpgcheck = 0
+ 
+         for package_id in package_ids:
+             grp = self._is_meta_package(package_id)
+@@ -2149,8 +2157,12 @@ class PackageKitYumBackend(PackageKitBaseBackend, PackagekitPackage):
+         # If only_trusted is true, it means that we will only install trusted files
+         if only_trusted or simulate:
+             self.yumbase.conf.gpgcheck = 1
+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
+                self.yumbase.conf.localpkg_gpgcheck = 1
+         else:
+             self.yumbase.conf.gpgcheck = 0
+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
+                self.yumbase.conf.localpkg_gpgcheck = 0
+ 
+         # self.yumbase.installLocal fails for unsigned packages when self.yumbase.conf.gpgcheck = 1
+         # This means we don't run runYumTransaction, and don't get the GPG failure in
+@@ -2304,8 +2316,12 @@ class PackageKitYumBackend(PackageKitBaseBackend, PackagekitPackage):
+         # if only_trusted is true, it means that we will only update signed files
+         if only_trusted:
+             self.yumbase.conf.gpgcheck = 1
+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
+                self.yumbase.conf.localpkg_gpgcheck = 1
+         else:
+             self.yumbase.conf.gpgcheck = 0
+            if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
+                self.yumbase.conf.localpkg_gpgcheck = 0
+ 
+         txmbrs = []
+         try:
+-- 
+1.7.5.4
+
--- a/PackageKit.spec
+++ b/PackageKit.spec
@ -3,7 +3,7 @@
 Summary:   Package management service
 Name:      PackageKit
 Version:   0.6.15
-Release:   2%{?dist}
+Release:   3%{?dist}
 License:   GPLv2+ and LGPLv2+
 URL:       http://www.packagekit.org
 Source0:   http://www.packagekit.org/releases/%{name}-%{version}.tar.bz2
@ -14,6 +14,9 @@ Patch0:    PackageKit-0.3.8-Fedora-Vendor.conf.patch
 # Fedora specific: the yum backend doesn't do time estimation correctly
 Patch1:    PackageKit-0.4.4-Fedora-turn-off-time.conf.patch

+# Fix for CVE-2011-2515
+Patch2:    0001-Fix-CVE-2011-2515-which-affects-the-YUM-backend.patch
+
 Requires: PackageKit-glib = %{version}-%{release}
 Requires: PackageKit-yum = %{version}-%{release}
 Requires: shared-mime-info
@ -246,6 +249,7 @@ user to restart the computer or remove and re-insert the device.
 %setup -q
 %patch0 -p1 -b .fedora
 %patch1 -p1 -b .no-time
+%patch2 -p1 -b .cve2011-2515

 %build
 %configure \
@ -460,6 +464,20 @@ update-mime-database %{_datadir}/mime &> /dev/null || :
 %{_includedir}/PackageKit/backend/*.h

 %changelog
+* Fri Jul 01 2011 Richard Hughes  <rhughes@redhat.com> - 0.6.15-3
+- Upstream yum recently changed the behaviour when checking signatures
+  on a package. The commit added a new configuration key which only
+  affects local packages, but the key was set by default to False.
+- This meant that an end user could install a local unsigned rpm package
+  using PackageKit without a GPG trust check, and the user would be told
+  the untrusted package is itself trusted.
+- To exploit this low-impact vulnerability, a user would have to
+  manually download an unsigned package file and would still be required
+  to authenticate to install the package.
+- The CVE-ID for this bug is CVE-2011-2515
+- See https://bugzilla.redhat.com/show_bug.cgi?id=717566 for details.
+- Resolves #718127
+
 * Thu Jun 09 2011 Richard Hughes  <rhughes@redhat.com> - 0.6.15-2
 - Rebuild for bumped libzif soname.