Re: Risk of using rpm parser?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 03/03/2014 10:43 AM, Miroslav Suchý wrote:

Imagine you are attacker. You can submit to target server (Copr)
whatever src.rpm you want. That srpm will be build in VM, which will be
then terminated. But you know that the server will use queries using
python-rpm on final binary rpm files.

Parsing the src.rpm is unsafe (or more precisely, the spec file in it). This is by design, no exploit is needed.

Parsing the final RPMs can be made safe in theory, especially if the contents is not extracted to the file system. I don't know if the Python bindings encourage any questionable practices (such as macro expansion in headers read from the RPMs), but that would be bugs. If you can extract the data you need in the builder VM, it's probably best to do it there. But if the data structures for representing it are complex, you might have fewer bugs if you go directly for the RPM.

There's also the question what happens if the untrusted builder VM lies about properties of the RPMs.

Florian Weimer / Red Hat Product Security Team
Rpm-list mailing list

[Index of Archives]     [RPM Ecosystem]     [Linux Kernel]     [Red Hat Install]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Red Hat]     [Gimp]     [Yosemite News]     [IETF Discussion]

  Powered by Linux