Blame SOURCES/0004-Use-rpmkeys-alone-to-verify-signature.patch

bc72d2
From 9798e9ee85f1ba39c816fa08fd3d6168cc8b29e8 Mon Sep 17 00:00:00 2001
6cc3d3
From: Demi Marie Obenour <demi@invisiblethingslab.com>
6cc3d3
Date: Fri, 9 Apr 2021 13:03:03 -0400
6cc3d3
Subject: [PATCH] Use rpmkeys alone to verify signature
6cc3d3
6cc3d3
This avoids having to actually parse the package to check its signature,
6cc3d3
which reduces attack surface.  If the output of rpmkeys cannot be
6cc3d3
parsed, we assume the package is corrupt (the most likely cause).
6cc3d3
---
bc72d2
 dnf/rpm/miscutils.py | 126 ++++++++++++++++++++++---------------------
6cc3d3
 1 file changed, 66 insertions(+), 60 deletions(-)
6cc3d3
6cc3d3
diff --git a/dnf/rpm/miscutils.py b/dnf/rpm/miscutils.py
bc72d2
index 5f2621c2..9d5b2860 100644
6cc3d3
--- a/dnf/rpm/miscutils.py
6cc3d3
+++ b/dnf/rpm/miscutils.py
bc72d2
@@ -13,47 +13,84 @@
6cc3d3
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
6cc3d3
 # Copyright 2003 Duke University
6cc3d3
 
6cc3d3
-from __future__ import print_function, absolute_import
6cc3d3
-from __future__ import unicode_literals
6cc3d3
+from __future__ import print_function, absolute_import, unicode_literals
6cc3d3
 
6cc3d3
-import rpm
6cc3d3
 import os
6cc3d3
 import subprocess
6cc3d3
 import logging
6cc3d3
-
6cc3d3
-from dnf.i18n import ucd
6cc3d3
-from dnf.i18n import _
6cc3d3
 from shutil import which
6cc3d3
 
6cc3d3
+from dnf.i18n import _
6cc3d3
 
6cc3d3
-logger = logging.getLogger('dnf')
6cc3d3
+_logger = logging.getLogger('dnf')
6cc3d3
+_rpmkeys_binary = None
6cc3d3
 
6cc3d3
+def _find_rpmkeys_binary():
6cc3d3
+    global _rpmkeys_binary
6cc3d3
+    if _rpmkeys_binary is None:
6cc3d3
+        _rpmkeys_binary = which("rpmkeys")
6cc3d3
+        _logger.debug(_('Using rpmkeys executable at %s to verify signatures'),
6cc3d3
+                      _rpmkeys_binary)
6cc3d3
+    return _rpmkeys_binary
6cc3d3
 
6cc3d3
-def _verifyPkgUsingRpmkeys(package, installroot, fdno):
6cc3d3
-    os.lseek(fdno, 0, os.SEEK_SET)
6cc3d3
-    rpmkeys_binary = '/usr/bin/rpmkeys'
6cc3d3
-    if not os.path.isfile(rpmkeys_binary):
6cc3d3
-        rpmkeys_binary = which("rpmkeys")
6cc3d3
-        logger.info(_('Using rpmkeys executable from {path} to verify signature for package: {package}.').format(
6cc3d3
-            path=rpmkeys_binary, package=package))
6cc3d3
+def _process_rpm_output(data):
6cc3d3
+    # No signatures or digests = corrupt package.
6cc3d3
+    # There is at least one line for -: and another (empty) entry after the
6cc3d3
+    # last newline.
6cc3d3
+    if len(data) < 3 or data[0] != b'-:' or data[-1]:
6cc3d3
+        return 2
6cc3d3
+    seen_sig, missing_key, not_trusted, not_signed = False, False, False, False
6cc3d3
+    for i in data[1:-1]:
6cc3d3
+        if b': BAD' in i:
6cc3d3
+            return 2
6cc3d3
+        elif i.endswith(b': NOKEY'):
6cc3d3
+            missing_key = True
6cc3d3
+        elif i.endswith(b': NOTTRUSTED'):
6cc3d3
+            not_trusted = True
6cc3d3
+        elif i.endswith(b': NOTFOUND'):
6cc3d3
+            not_signed = True
6cc3d3
+        elif not i.endswith(b': OK'):
6cc3d3
+            return 2
6cc3d3
+    if not_trusted:
6cc3d3
+        return 3
6cc3d3
+    elif missing_key:
6cc3d3
+        return 1
6cc3d3
+    elif not_signed:
6cc3d3
+        return 4
6cc3d3
+    # we still check return code, so this is safe
6cc3d3
+    return 0
6cc3d3
 
6cc3d3
-    if not os.path.isfile(rpmkeys_binary):
6cc3d3
-        logger.critical(_('Cannot find rpmkeys executable to verify signatures.'))
6cc3d3
-        return 0
6cc3d3
+def _verifyPackageUsingRpmkeys(package, installroot):
6cc3d3
+    rpmkeys_binary = _find_rpmkeys_binary()
6cc3d3
+    if rpmkeys_binary is None or not os.path.isfile(rpmkeys_binary):
6cc3d3
+        _logger.critical(_('Cannot find rpmkeys executable to verify signatures.'))
6cc3d3
+        return 2
6cc3d3
 
6cc3d3
-    args = ('rpmkeys', '--checksig', '--root', installroot, '--define', '_pkgverify_level all', '-')
6cc3d3
+    # "--define=_pkgverify_level all" enforces signature checking;
6cc3d3
+    # "--define=_pkgverify_flags 0x0" ensures that all signatures and digests
6cc3d3
+    # are checked.
6cc3d3
+    args = ('rpmkeys', '--checksig', '--root', installroot, '--verbose',
6cc3d3
+            '--define=_pkgverify_level all', '--define=_pkgverify_flags 0x0',
6cc3d3
+            '-')
6cc3d3
     with subprocess.Popen(
6cc3d3
             args=args,
6cc3d3
             executable=rpmkeys_binary,
6cc3d3
             env={'LC_ALL': 'C'},
6cc3d3
-            stdin=fdno,
6cc3d3
             stdout=subprocess.PIPE,
6cc3d3
-            cwd='/') as p:
6cc3d3
-        data, err = p.communicate()
6cc3d3
-    if p.returncode != 0 or data != b'-: digests signatures OK\n':
6cc3d3
-        return 0
6cc3d3
-    else:
6cc3d3
-        return 1
6cc3d3
+            cwd='/',
6cc3d3
+            stdin=package) as p:
6cc3d3
+        data = p.communicate()[0]
6cc3d3
+    returncode = p.returncode
6cc3d3
+    if type(returncode) is not int:
6cc3d3
+        raise AssertionError('Popen set return code to non-int')
6cc3d3
+    # rpmkeys can return something other than 0 or 1 in the case of a
6cc3d3
+    # fatal error (OOM, abort() called, SIGSEGV, etc)
6cc3d3
+    if returncode >= 2 or returncode < 0:
6cc3d3
+        return 2
6cc3d3
+    ret = _process_rpm_output(data.split(b'\n'))
6cc3d3
+    if ret:
6cc3d3
+        return ret
6cc3d3
+    return 2 if returncode else 0
6cc3d3
 
6cc3d3
 def checkSig(ts, package):
6cc3d3
     """Takes a transaction set and a package, check it's sigs,
bc72d2
@@ -63,40 +100,9 @@ def checkSig(ts, package):
6cc3d3
     return 3 if the key is not trusted
6cc3d3
     return 4 if the pkg is not gpg or pgp signed"""
6cc3d3
 
6cc3d3
-    value = 4
6cc3d3
-    currentflags = ts.setVSFlags(0)
6cc3d3
-    fdno = os.open(package, os.O_RDONLY)
6cc3d3
+    fdno = os.open(package, os.O_RDONLY|os.O_NOCTTY|os.O_CLOEXEC)
6cc3d3
     try:
6cc3d3
-        hdr = ts.hdrFromFdno(fdno)
6cc3d3
-    except rpm.error as e:
6cc3d3
-        if str(e) == "public key not available":
6cc3d3
-            value = 1
6cc3d3
-        elif str(e) == "public key not trusted":
6cc3d3
-            value = 3
6cc3d3
-        elif str(e) == "error reading package header":
6cc3d3
-            value = 2
6cc3d3
-        else:
6cc3d3
-            raise ValueError('Unexpected error value %r from ts.hdrFromFdno when checking signature.' % str(e))
6cc3d3
-    else:
6cc3d3
-        # checks signature from an hdr
6cc3d3
-        string = '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:' \
6cc3d3
-                 '{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{(none)}|}|}|}|'
6cc3d3
-        try:
6cc3d3
-            siginfo = hdr.sprintf(string)
6cc3d3
-            siginfo = ucd(siginfo)
6cc3d3
-
6cc3d3
-            if siginfo == '(none)':
6cc3d3
-                value = 4
6cc3d3
-            elif "Key ID" in siginfo and _verifyPkgUsingRpmkeys(package, ts.ts.rootDir, fdno):
6cc3d3
-                value = 0
6cc3d3
-            else:
6cc3d3
-                raise ValueError('Unexpected return value %r from hdr.sprintf when checking signature.' % siginfo)
6cc3d3
-        except UnicodeDecodeError:
6cc3d3
-            pass
6cc3d3
-
6cc3d3
-        del hdr
6cc3d3
-
6cc3d3
-    os.close(fdno)
6cc3d3
-
6cc3d3
-    ts.setVSFlags(currentflags)  # put things back like they were before
6cc3d3
+        value = _verifyPackageUsingRpmkeys(fdno, ts.ts.rootDir)
6cc3d3
+    finally:
6cc3d3
+        os.close(fdno)
6cc3d3
     return value
bc72d2
-- 
bc72d2
2.35.1
6cc3d3