[PackageKit/f15] Upstream yum recently changed the behaviour when checking signatures on a package. The commit added
Richard Hughes
rhughes at fedoraproject.org
Fri Jul 1 09:11:18 UTC 2011
commit 882573766a03d9106c7202bd36c38c66954caa1c
Author: Richard Hughes <richard at hughsie.com>
Date: Fri Jul 1 10:11:00 2011 +0100
Upstream yum recently changed the behaviour when checking signatures
on a package. The commit added a new configuration key which only
affects local packages, but the key was set by default to False.
This meant that an end user could install a local unsigned rpm package
using PackageKit without a GPG trust check, and the user would be told
the untrusted package is itself trusted.
To exploit this low-impact vulnerability, a user would have to
manually download an unsigned package file and would still be required
to authenticate to install the package.
The CVE-ID for this bug is CVE-2011-2515
See https://bugzilla.redhat.com/show_bug.cgi?id=717566 for details.
Resolves #718127
...E-2011-2515-which-affects-the-YUM-backend.patch | 92 ++++++++++++++++++++
PackageKit.spec | 20 ++++-
2 files changed, 111 insertions(+), 1 deletions(-)
---
diff --git a/0001-Fix-CVE-2011-2515-which-affects-the-YUM-backend.patch b/0001-Fix-CVE-2011-2515-which-affects-the-YUM-backend.patch
new file mode 100644
index 0000000..c99323e
--- /dev/null
+++ b/0001-Fix-CVE-2011-2515-which-affects-the-YUM-backend.patch
@@ -0,0 +1,92 @@
+From cd79fcfefc8af165faa9a320bec44ce6d1c5b125 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard at hughsie.com>
+Date: Fri, 1 Jul 2011 09:20:40 +0100
+Subject: [PATCH] Fix CVE-2011-2515 which affects the YUM backend
+
+In commit 290933489b1aaeb1017d10fb59ccf3231e309115, YUM changed the behaviour
+when checking signatures on a package. The commit added a new configuration key
+'localpkg_gpgcheck' which only affects local packages, but the key was set by
+default to False, unlike 'gpgcheck' which was used for local and remote
+packages before this commit.
+
+This meant that an end user could install a local unsigned rpm package using
+PackageKit without a GPG trust check, and the user would be told the untrusted
+package is itself trusted. This would cause PackageKit to use a different
+(weaker) PolicyKit authentication that what would be required of an unsigned
+package.
+
+To exploit this low-impact vulnerability, a user would have to manually
+download an unsigned package file and would still be required to authenticate
+to install the package unless this has been changed by an administrator.
+
+Now, PackageKit sets internaly 'localpkg_gpgcheck' to match 'gpgcheck' for all
+versions of yum with this new feature to match the expected behaviour.
+
+Red Hat would like to thank Peter Robinson for reporting this issue.
+
+See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2515 for more details.
+
+Fixes https://bugzilla.redhat.com/show_bug.cgi?id=717566
+---
+ backends/yum/yumBackend.py | 16 ++++++++++++++++
+ 1 files changed, 16 insertions(+), 0 deletions(-)
+
+diff --git a/backends/yum/yumBackend.py b/backends/yum/yumBackend.py
+index d66f862..d9a293c 100755
+--- a/backends/yum/yumBackend.py
++++ b/backends/yum/yumBackend.py
+@@ -1732,8 +1732,12 @@ class PackageKitYumBackend(PackageKitBaseBackend, PackagekitPackage):
+ # if only_trusted is true, it means that we will only update signed files
+ if only_trusted:
+ self.yumbase.conf.gpgcheck = 1
++ if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
++ self.yumbase.conf.localpkg_gpgcheck = 1
+ else:
+ self.yumbase.conf.gpgcheck = 0
++ if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
++ self.yumbase.conf.localpkg_gpgcheck = 0
+
+ self.yumbase.conf.throttle = "60%" # Set bandwidth throttle to 60%
+ # to avoid taking all the system's bandwidth.
+@@ -1956,8 +1960,12 @@ class PackageKitYumBackend(PackageKitBaseBackend, PackagekitPackage):
+ # if only_trusted is true, it means that we will only update signed files
+ if only_trusted:
+ self.yumbase.conf.gpgcheck = 1
++ if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
++ self.yumbase.conf.localpkg_gpgcheck = 1
+ else:
+ self.yumbase.conf.gpgcheck = 0
++ if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
++ self.yumbase.conf.localpkg_gpgcheck = 0
+
+ for package_id in package_ids:
+ grp = self._is_meta_package(package_id)
+@@ -2149,8 +2157,12 @@ class PackageKitYumBackend(PackageKitBaseBackend, PackagekitPackage):
+ # If only_trusted is true, it means that we will only install trusted files
+ if only_trusted or simulate:
+ self.yumbase.conf.gpgcheck = 1
++ if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
++ self.yumbase.conf.localpkg_gpgcheck = 1
+ else:
+ self.yumbase.conf.gpgcheck = 0
++ if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
++ self.yumbase.conf.localpkg_gpgcheck = 0
+
+ # self.yumbase.installLocal fails for unsigned packages when self.yumbase.conf.gpgcheck = 1
+ # This means we don't run runYumTransaction, and don't get the GPG failure in
+@@ -2304,8 +2316,12 @@ class PackageKitYumBackend(PackageKitBaseBackend, PackagekitPackage):
+ # if only_trusted is true, it means that we will only update signed files
+ if only_trusted:
+ self.yumbase.conf.gpgcheck = 1
++ if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
++ self.yumbase.conf.localpkg_gpgcheck = 1
+ else:
+ self.yumbase.conf.gpgcheck = 0
++ if hasattr(self.yumbase.conf, 'localpkg_gpgcheck'):
++ self.yumbase.conf.localpkg_gpgcheck = 0
+
+ txmbrs = []
+ try:
+--
+1.7.5.4
+
diff --git a/PackageKit.spec b/PackageKit.spec
index 6fdbe8b..c02e299 100644
--- a/PackageKit.spec
+++ b/PackageKit.spec
@@ -3,7 +3,7 @@
Summary: Package management service
Name: PackageKit
Version: 0.6.15
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+ and LGPLv2+
URL: http://www.packagekit.org
Source0: http://www.packagekit.org/releases/%{name}-%{version}.tar.bz2
@@ -14,6 +14,9 @@ Patch0: PackageKit-0.3.8-Fedora-Vendor.conf.patch
# Fedora specific: the yum backend doesn't do time estimation correctly
Patch1: PackageKit-0.4.4-Fedora-turn-off-time.conf.patch
+# Fix for CVE-2011-2515
+Patch2: 0001-Fix-CVE-2011-2515-which-affects-the-YUM-backend.patch
+
Requires: PackageKit-glib = %{version}-%{release}
Requires: PackageKit-yum = %{version}-%{release}
Requires: shared-mime-info
@@ -246,6 +249,7 @@ user to restart the computer or remove and re-insert the device.
%setup -q
%patch0 -p1 -b .fedora
%patch1 -p1 -b .no-time
+%patch2 -p1 -b .cve2011-2515
%build
%configure \
@@ -460,6 +464,20 @@ update-mime-database %{_datadir}/mime &> /dev/null || :
%{_includedir}/PackageKit/backend/*.h
%changelog
+* Fri Jul 01 2011 Richard Hughes <rhughes at redhat.com> - 0.6.15-2
+- Upstream yum recently changed the behaviour when checking signatures
+ on a package. The commit added a new configuration key which only
+ affects local packages, but the key was set by default to False.
+- This meant that an end user could install a local unsigned rpm package
+ using PackageKit without a GPG trust check, and the user would be told
+ the untrusted package is itself trusted.
+- To exploit this low-impact vulnerability, a user would have to
+ manually download an unsigned package file and would still be required
+ to authenticate to install the package.
+- The CVE-ID for this bug is CVE-2011-2515
+- See https://bugzilla.redhat.com/show_bug.cgi?id=717566 for details.
+- Resolves #718127
+
* Tue Jun 07 2011 Richard Hughes <rhughes at redhat.com> - 0.6.15-1
- New upstream release.
- More GIR fixes
More information about the scm-commits
mailing list