Use RPMSIG_SIGNATURE_TYPE and rpmcliVerifySignatures() for all RPM-based signature verification

[DemiMarie]

This is libzypp’s version of CVE-2021-3445. Only users who have turned off repository signature verification for at least one repository are vulnerable, unlike DNF which is vulnerable by default. See rpm-software-management/libdnf#1179 and rpm-software-management/dnf#1752.

Reporting publicly because this is already public in other repositories and because default configurations are not vulnerable.

[mlandres]

@DemiMarie do you have some more details about the nature of CVE-2021-3445? Why should be calling ::rpmcliVerifySignatures more secure than ::rpmVerifySignatures, which is what zypp calls (plus parsing the output to grep keyids and unsigned packages).

Do you happen to have some 'bad' package we can use for testing?

[mlschroe]

rpmVerifySignatures and rpmcliVerifySignatures are pretty much the same. The difference is that you can verify multiple rpms with rpmcliVerifySignatures. I don't see any other meaningful difference.

Mayby this is about rpmtsSetVfyLevel(ts, RPMSIG_SIGNATURE_TYPE);, but that would disable signature checks, so do not do that...

[mlschroe]

Wait, I mixed up SetVfyLevel() with SerVfyFlags.

[mlschroe]

rpmtsSetVfyLevel(ts, RPMSIG_SIGNATURE_TYPE); would make rpm insist on a signature.

[mlschroe]

Libzypp already checks the output of the signature verification and (if configured) rejects packages with no signature anyway, so this is not needed.

[mlandres]

@DemiMarie do you have some more details about the nature of CVE-2021-3445? Why should be calling ::rpmcliVerifySignatures be more secure than ::rpmVerifySignatures, which is what zypp calls (plus parsing the output to grep keyids and unsigned packages).

Where do you think our code is vulnerable, or was his issue just filed to make us aware of the CVE?

[DemiMarie]

@DemiMarie do you have some more details about the nature of CVE-2021-3445? Why should be calling ::rpmcliVerifySignatures be more secure than ::rpmVerifySignatures, which is what zypp calls (plus parsing the output to grep keyids and unsigned packages).

CVE-2021-3445 is a signature verification bypass in libdnf: it turns out that old versions of librpm (before the CVE-2021-3421 fix) allow for signatures to be located in the immutable header, which RPM will not check. This allowed libdnf to be tricked into thinking a package was validly signed when it was not. Using ::rpmVerifySignatures instead of ::rpmcliVerifySignatures is fine.

Where do you think our code is vulnerable, or was his issue just filed to make us aware of the CVE?

As per discussion with Red Hat Product Security, RPM does not guarantee that signatures will be checked unless rpmtsSetVfyLevel(ts, flags) is called, with flags including RPMSIG_SIGNATURE_TYPE. I strongly recommend rpmtsSetVfyFlags(ts, 0) as well, to guard against user misconfigurations. I sent the details privately to SUSE Security since I would rather not make them public until DNF, libdnf, and libzypp are patched and the patched versions released.

[mlandres]

Thanks. We'll review the code.

[DemiMarie]

#308

[DemiMarie]

Libzypp already checks the output of the signature verification and (if configured) rejects packages with no signature anyway, so this is not needed.

This is not sufficient; details have been sent privately to SUSE security.