Dmitry Antipov, a Linux developer at CloudLinux, AlmaLinux OS’s parent company, first spotted the problem in March 2021. Antipov found that RPM would work with unauthorized RPM packages. This meant that unsigned packages or packages signed with revoked keys could silently be patched or updated without a word of warning that they might not be kosher.
Why? Because RPM had never properly checked revoked certificate key handling. Specifically, as Linux and lead RPM developer Panu Matilainen explained: “Revocation is one of the many unimplemented things in rpm’s OpenPGP support. In other words, you’re not seeing a bug as such; it’s just not implemented at all, much like expiration is not.”
How could this be? It’s because RPM dates back from the days when getting code to work was the first priority and security came a long way second. For example, we don’t know whether the first RPM commit was made by Marc Ewing or Erik Troan because it was done as root. Those were the days!
Things have changed. Security is a much higher priority.
Antipov, wearing his hat as a TuxCare (CloudLinux’s KernelCare and Extended Lifecycle Support) team member, has submitted a patch to fix this problem. As Antipov explained in an interview: “The problem is that both RPM and DNF, [a popular software package manager that installs, updates, and removes packages on RPM-based Linux distributions] do a check to see if the key is valid and genuine but not expired, but not for revocation. As I understand it, all the distribution vendors have just been lucky enough to never have been hit by this.”
They have indeed been lucky. Armed with an out-of-date key, it could be child’s play to sneak malware into a Linux desktop or server.
Joao Correia, a TuxCare Technical Evangelist, asked: “Do you know how long it takes for the distros to pick up the changes that are submitted to the code repositories?”
Antipov replied:
He fears though it may be months before the fix is released. At the moment, the security hole is still alive, well, and open for attack. Antipov and his team are considering opening a Common Vulnerabilities and Exposures (CVE) about the issue since, in the end, it’s clearly a security issue.
If I may be so bold: File a CVE with Red Hat. This needs fixing, and it needs fixing now. In the meantime, administrators of RPM-based systems will need to take a closer look at the patch programs to make sure they are legitimate patches.
Related Stories:
CloudLinux releases UChecker security tool for Linux serversLinux kernel vulnerability exposes stack memory, causes data leaksHigh severity Linux network security holes found, fixed