RPM roadmapping

Mon Jul 30 20:21:31 UTC 2007

On Mon, 30 Jul 2007, seth vidal wrote:

> On Mon, 2007-07-30 at 21:03 +0300, Panu Matilainen wrote:
>> Yum could just as well support "yum install http://..../foo.rpm" :)
>>
>> Speaking of that, yum currently accesses package header before verifying
>> the signature, at least in the case of localinstall. I've some fuzzed
>> rpm's here that cause rpm to segfault if signature checking is
>> disabled as yum does... Dunno how exploitable that is in reality but there
>> is a potential vulnerability there anyway.
>
> 1. Can I get a copy of those rpms?
> 2. I've heard about the aforementioned mythic case of an exploit but
> never actually seen one. I could be wrong but I thought the case that
> was dangerous was not if gpg signature checking was disabled but if
> header checking in general was disabled. Changing yum's opener for pkgs
> so it does with hdr checking enabled is pretty simple to do - however,
> it'd be nice if I had a replicating case to check it out with.

Sure, check out the crash_rpm?.rpm's from comments 1-3
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=239557
You'll need to test those with rpm 4.4.2.1 as older ones crash on them 
with or without signature checking.

 	- Panu -