/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

qubes-receive-updates rejects some signatures because of too strict regexp #988

Closed
v6ak opened this Issue May 4, 2015 · 2 comments

Comments

Assignees

@marmarek marmarek

Labels
Projects
None yet
Milestone
  Release 3.0
2 participants
@v6ak @marmarek
@v6ak

v6ak commented May 4, 2015

When I was trying to install Bumblebee, I wondered why it rejects the signature even if rpm -K told me that the signature is OK. I've found the root of the issue:

There is too strict regexp for parsing the output, see: abeluck/qubes-core@2950ee7#diff-9edf4e30fdc866530e395a45a829c27bR37

On the bumlbebee package, rpm -K

  1. returns the checks in different order and
  2. returns "gpg" instead of "pgp"

I however know it might be hard to fix it without risking some injection through filename. If you werre looking just for " (gpg|pgp) .*OK$", an adversary could maybe fool us with a file named "malware gpg .rpm" with no signature. If rpm -K returns OK even if there is no signature, but all other checks are OK, it would generate output like malware gpg .rpm: md5 OK, which would match the regexp.

Maybe regexp " (gpg|pgp) [a-z0-9 ]*OK$" is still hacky, but should be secure.

Note that I am not Fedora/RedHat expert, I've rather experience with other distributions (Gentoo, Archlinux, Debian, Ubuntu).

@marmarek marmarek added bug C: core P: minor labels May 11, 2015

@marmarek marmarek added this to the Release 3.0 milestone May 11, 2015

@marmarek marmarek self-assigned this May 11, 2015

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek May 11, 2015

Member 
$ rpm -K glibc-2.20-8.fc21.src.rpm
glibc-2.20-8.fc21.src.rpm: rsa sha1 (md5) pgp md5 OK
$ rpm -K bumblebee-3.2.1-7.fc21.x86_64.rpm 
bumblebee-3.2.1-7.fc21.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK

rpm, are you drunk? ;) Note order of "md5" and pgp/gpg...
But fortunately spaces (and colon) in package name are filterer earlier, so your regexp looks good (even the first one).

Verbose output, just for reference:

$ rpm -Kv glibc-2.20-8.fc21.src.rpm
glibc-2.20-8.fc21.src.rpm:
    Header V3 RSA/SHA256 Signature, key ID 95a43f54: OK
    Header SHA1 digest: OK (a3b97e8d72ea9305479baa5ff0fb7dac6bcd9186)
    V3 RSA/SHA256 Signature, key ID 95a43f54: OK
    MD5 digest: OK (1886f5e4e5af94db8951105496d1b1b9)
$ rpm -Kv bumblebee-3.2.1-7.fc21.x86_64.rpm
bumblebee-3.2.1-7.fc21.x86_64.rpm:
    Header V4 DSA/SHA1 Signature, key ID 0b40f7fd: OK
    Header SHA1 digest: OK (750f9a779319d89cedeac3bcd45e294ace7993a9)
    MD5 digest: OK (1f4faa8d5f71dedf53732bf1858a870d)
    V4 DSA/SHA1 Signature, key ID 0b40f7fd: OK
Member

marmarek commented May 11, 2015 

$ rpm -K glibc-2.20-8.fc21.src.rpm
glibc-2.20-8.fc21.src.rpm: rsa sha1 (md5) pgp md5 OK
$ rpm -K bumblebee-3.2.1-7.fc21.x86_64.rpm 
bumblebee-3.2.1-7.fc21.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK

rpm, are you drunk? ;) Note order of "md5" and pgp/gpg...
But fortunately spaces (and colon) in package name are filterer earlier, so your regexp looks good (even the first one).

Verbose output, just for reference:

$ rpm -Kv glibc-2.20-8.fc21.src.rpm
glibc-2.20-8.fc21.src.rpm:
    Header V3 RSA/SHA256 Signature, key ID 95a43f54: OK
    Header SHA1 digest: OK (a3b97e8d72ea9305479baa5ff0fb7dac6bcd9186)
    V3 RSA/SHA256 Signature, key ID 95a43f54: OK
    MD5 digest: OK (1886f5e4e5af94db8951105496d1b1b9)
$ rpm -Kv bumblebee-3.2.1-7.fc21.x86_64.rpm
bumblebee-3.2.1-7.fc21.x86_64.rpm:
    Header V4 DSA/SHA1 Signature, key ID 0b40f7fd: OK
    Header SHA1 digest: OK (750f9a779319d89cedeac3bcd45e294ace7993a9)
    MD5 digest: OK (1f4faa8d5f71dedf53732bf1858a870d)
    V4 DSA/SHA1 Signature, key ID 0b40f7fd: OK

@marmarek marmarek closed this in marmarek/old-qubes-core-admin-linux@a5650d3 May 15, 2015

marmarek added a commit to marmarek/old-qubes-core-admin-linux that referenced this issue Jun 20, 2015

@marmarek
dom0-update: improve package validation regexp - include DSA case (#988) 
Apparently when package is signed with DSA key, rpm -K output is totally
different. This is the case for bumblebee package on rpmfusion.

Fixes QubesOS/qubes-issues#988

(cherry picked from commit a5650d3)
43f2865
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Oct 29, 2015

Member

Automated announcement from builder-github

The package qubes-core-dom0-linux-2.0.31-1.fc20 has been pushed to the r2 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.
Member

marmarek commented Oct 29, 2015

Automated announcement from builder-github

The package qubes-core-dom0-linux-2.0.31-1.fc20 has been pushed to the r2 stable repository for dom0.
To install this update, please use the standard update command:

sudo qubes-dom0-update

Or update dom0 via Qubes Manager.

@marmarek marmarek added the r2-dom0-stable label Oct 29, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment