On 03/03/2014 10:43 AM, Miroslav Suchý wrote:
Imagine you are attacker. You can submit to target server (Copr) whatever src.rpm you want. That srpm will be build in VM, which will be then terminated. But you know that the server will use queries using python-rpm on final binary rpm files.
Parsing the src.rpm is unsafe (or more precisely, the spec file in it). This is by design, no exploit is needed.
Parsing the final RPMs can be made safe in theory, especially if the contents is not extracted to the file system. I don't know if the Python bindings encourage any questionable practices (such as macro expansion in headers read from the RPMs), but that would be bugs. If you can extract the data you need in the builder VM, it's probably best to do it there. But if the data structures for representing it are complex, you might have fewer bugs if you go directly for the RPM.
There's also the question what happens if the untrusted builder VM lies about properties of the RPMs.
-- Florian Weimer / Red Hat Product Security Team _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxxxxx http://lists.rpm.org/mailman/listinfo/rpm-list
