!17 fix CVE-2021-3445 and remove python2 test

From: @eaglegai Reviewed-by: @yanan-rock Signed-off-by: @yanan-rock
2021-06-09 11:45:53 +08:00 · 2021-06-09 11:45:53 +08:00 · 313706f3cc
commit 313706f3cc
parent 9319d1f4fd 533d7b6510
2 changed files with 126 additions and 8 deletions
--- a/CVE-2021-3445.patch
+++ b/CVE-2021-3445.patch
@ -0,0 +1,117 @@
 From 930f2582f91077b3f338b84cf9567559d52713de Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
 Date: Mon, 29 Mar 2021 09:22:09 +0200
 Subject: [PATCH] Hardening: add signature check with rpmcliVerifySignatures
 This api is not ideal but works for now. We don't have to set
 installroot for the used transaction because we set keyring which is
 used to retrieve the keys.
 = changelog =
 msg: Hardening: add signature check with rpmcliVerifySignatures
 type: security
 resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1932079
 CVE-2021-3445
 RhBug:1932079
 RhBug:1932089
 RhBug:1932090
 Related: CVE-2021-3421, CVE-2021-20271
 ---
 libdnf/dnf-keyring.cpp | 52 ++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 50 insertions(+), 2 deletions(-)
 diff --git a/libdnf/dnf-keyring.cpp b/libdnf/dnf-keyring.cpp
 index eec58c69ea..62a6248cb8 100644
 --- a/libdnf/dnf-keyring.cpp
 +++ b/libdnf/dnf-keyring.cpp
@@ -34,6 +34,8 @@
 #include <glib.h>
 #include <rpm/rpmlib.h>
 #include <rpm/rpmts.h>
 +#include <rpm/rpmlog.h>
 +#include <rpm/rpmcli.h>
 #include "catch-error.hpp"
 #include "dnf-types.h"
@@ -216,6 +218,26 @@ dnf_keyring_add_public_keys(rpmKeyring keyring, GError **error) try
     return TRUE;
 } CATCH_TO_GERROR(FALSE)
 +static int
 +rpmcliverifysignatures_log_handler_cb(rpmlogRec rec, rpmlogCallbackData data)
 +{
 +    GString **string =(GString **) data;
 +
 +    /* create string if required */
 +    if (*string == NULL)
 +        *string = g_string_new("");
 +
 +    /* if text already exists, join them */
 +    if ((*string)->len > 0)
 +        g_string_append(*string, ": ");
 +    g_string_append(*string, rpmlogRecMessage(rec));
 +
 +    /* remove the trailing /n which rpm does */
 +    if ((*string)->len > 0)
 +        g_string_truncate(*string,(*string)->len - 1);
 +    return 0;
 +}
 +
 /**
  * dnf_keyring_check_untrusted_file:
  */
@@ -232,6 +254,10 @@ dnf_keyring_check_untrusted_file(rpmKeyring keyring,
     rpmtd td = NULL;
     rpmts ts = NULL;
 +    char *path = g_strdup(filename);
 +    char *path_array[2] = {path, NULL};
 +    g_autoptr(GString) rpm_error = NULL;
 +
     /* open the file for reading */
     fd = Fopen(filename, "r.fdio");
     if (fd == NULL) {
@@ -252,9 +278,27 @@ dnf_keyring_check_untrusted_file(rpmKeyring keyring,
         goto out;
     }
 -    /* we don't want to abort on missing keys */
     ts = rpmtsCreate();
 -    rpmtsSetVSFlags(ts, _RPMVSF_NOSIGNATURES);
 +
 +    if (rpmtsSetKeyring(ts, keyring) < 0) {
 +        g_set_error_literal(error, DNF_ERROR, DNF_ERROR_INTERNAL_ERROR, "failed to set keyring");
 +        goto out;
 +    }
 +    rpmtsSetVfyLevel(ts, RPMSIG_SIGNATURE_TYPE);
 +    rpmlogSetCallback(rpmcliverifysignatures_log_handler_cb, &rpm_error);
 +
 +    // rpm doesn't provide any better API call than rpmcliVerifySignatures (which is for CLI):
 +    // - use path_array as input argument
 +    // - gather logs via callback because we don't want to print anything if check is successful
 +    if (rpmcliVerifySignatures(ts, (char * const*) path_array)) {
 +        g_set_error(error,
 +                DNF_ERROR,
 +                DNF_ERROR_GPG_SIGNATURE_INVALID,
 +                "%s could not be verified.\n%s",
 +                filename,
 +                (rpm_error ? rpm_error->str : "UNKNOWN ERROR"));
 +        goto out;
 +    }
     /* read in the file */
     rc = rpmReadPackageFile(ts, fd, filename, &hdr);
@@ -318,6 +362,10 @@ dnf_keyring_check_untrusted_file(rpmKeyring keyring,
     g_debug("%s has been verified as trusted", filename);
     ret = TRUE;
 out:
 +    rpmlogSetCallback(NULL, NULL);
 +
 +    if (path != NULL)
 +        g_free(path);
     if (dig != NULL)
         pgpFreeDig(dig);
     if (td != NULL) {
--- a/libdnf.spec
+++ b/libdnf.spec
@ -20,13 +20,14 @@
 Name:                      libdnf
 Version:                   0.48.0
-Release:                   1
+Release:                   2
 Summary:                   Library providing simplified C and Python API to libsolv
 License:                   LGPLv2+
 URL:                       https://github.com/rpm-software-management/libdnf
 Source0:                   %{url}/archive/%{version}/%{name}-%{version}.tar.gz                    
-Patch0000:                 fix-python2-no-format-arguments-error.patch
+Patch0:                    fix-python2-no-format-arguments-error.patch
 Patch1:                    CVE-2021-3445.patch
 BuildRequires:             cmake gcc gcc-c++ libsolv-devel >= %{libsolv_version} gettext
 BuildRequires:             pkgconfig(librepo) >= %{librepo_version} pkgconfig(check)              
@ -143,12 +144,6 @@ popd
 %endif
 %check
 %if %{with python2}
 pushd build-py2
  make ARGS="-V" test
 popd
 %endif
 %if %{with python3}
 %if %{without python2}
 pushd build-py3
@ -213,6 +208,12 @@ popd
 %endif
 %changelog
 * Tue Jun 8 2021 gaihuiying <gaihuiying@huawei.com> - 0.48.0-2
 - Type:CVE
 - ID:NA
 - SUG:NA
 - DESC:fix CVE-2021-3445 and remove python2 test
 * Sat Aug 29 2020 openEuler Buildteam <buildteam@openeuler.org> - 0.48.0-1
 - Type:requirement
 - ID:NA