Bug#986979: marked as done (unblock: libdnf/0.55.2-6)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 15 Apr 2021 07:50:36 +0000
with message-id <E1lWwlo-00063C-Ja@respighi.debian.org>
and subject line unblock libdnf
has caused the Debian Bug report #986979,
regarding unblock: libdnf/0.55.2-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
986979: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986979
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libdnf/0.55.2-6
• From: Holger Levsen <holger@debian.org>
• Date: Thu, 15 Apr 2021 01:10:46 +0200
• Message-id: <[🔎] 20210414231046.GA23130@layer-acht.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package libdnf, 0.55.2-6 fixes #986802 / CVE-2021-3445.

$ * debdiff libdnf_0.55.2-5.dsc libdnf_0.55.2-6.dsc
diff -Nru libdnf-0.55.2/debian/changelog libdnf-0.55.2/debian/changelog
--- libdnf-0.55.2/debian/changelog	2021-02-04 01:17:07.000000000 +0100
+++ libdnf-0.55.2/debian/changelog	2021-04-14 21:26:57.000000000 +0200
@@ -1,3 +1,9 @@
+libdnf (0.55.2-6) unstable; urgency=high
+
+  * Add patch for signature check with rpmcliVerifySignatures. Closes: #986802.
+
+ -- Frédéric Pierret <frederic.pierret@qubes-os.org>  Wed, 14 Apr 2021 21:26:57 +0200
+
 libdnf (0.55.2-5) unstable; urgency=medium
 
   * Team upload.
diff -Nru libdnf-0.55.2/debian/patches/0014-Hardening-add-signature-check-with-rpmcliVerifySigna.patch libdnf-0.55.2/debian/patches/0014-Hardening-add-signature-check-with-rpmcliVerifySigna.patch
--- libdnf-0.55.2/debian/patches/0014-Hardening-add-signature-check-with-rpmcliVerifySigna.patch	1970-01-01 01:00:00.000000000 +0100
+++ libdnf-0.55.2/debian/patches/0014-Hardening-add-signature-check-with-rpmcliVerifySigna.patch	2021-04-14 21:26:57.000000000 +0200
@@ -0,0 +1,119 @@
+From 930f2582f91077b3f338b84cf9567559d52713de Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ale=C5=A1=20Mat=C4=9Bj?= <amatej@redhat.com>
+Date: Mon, 29 Mar 2021 09:22:09 +0200
+Subject: [PATCH] Hardening: add signature check with rpmcliVerifySignatures
+
+This api is not ideal but works for now. We don't have to set
+installroot for the used transaction because we set keyring which is
+used to retrieve the keys.
+
+= changelog =
+msg: Hardening: add signature check with rpmcliVerifySignatures
+type: security
+resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1932079
+
+CVE-2021-3445
+RhBug:1932079
+RhBug:1932089
+RhBug:1932090
+
+Related: CVE-2021-3421, CVE-2021-20271
+---
+ libdnf/dnf-keyring.cpp | 52 ++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 50 insertions(+), 2 deletions(-)
+
+diff --git a/libdnf/dnf-keyring.cpp b/libdnf/dnf-keyring.cpp
+index eec58c69..62a6248c 100644
+--- a/libdnf/dnf-keyring.cpp
++++ b/libdnf/dnf-keyring.cpp
+@@ -34,6 +34,8 @@
+ #include <glib.h>
+ #include <rpm/rpmlib.h>
+ #include <rpm/rpmts.h>
++#include <rpm/rpmlog.h>
++#include <rpm/rpmcli.h>
+ 
+ #include "catch-error.hpp"
+ #include "dnf-types.h"
+@@ -216,6 +218,26 @@ dnf_keyring_add_public_keys(rpmKeyring keyring, GError **error) try
+     return TRUE;
+ } CATCH_TO_GERROR(FALSE)
+ 
++static int
++rpmcliverifysignatures_log_handler_cb(rpmlogRec rec, rpmlogCallbackData data)
++{
++    GString **string =(GString **) data;
++
++    /* create string if required */
++    if (*string == NULL)
++        *string = g_string_new("");
++
++    /* if text already exists, join them */
++    if ((*string)->len > 0)
++        g_string_append(*string, ": ");
++    g_string_append(*string, rpmlogRecMessage(rec));
++
++    /* remove the trailing /n which rpm does */
++    if ((*string)->len > 0)
++        g_string_truncate(*string,(*string)->len - 1);
++    return 0;
++}
++
+ /**
+  * dnf_keyring_check_untrusted_file:
+  */
+@@ -232,6 +254,10 @@ dnf_keyring_check_untrusted_file(rpmKeyring keyring,
+     rpmtd td = NULL;
+     rpmts ts = NULL;
+ 
++    char *path = g_strdup(filename);
++    char *path_array[2] = {path, NULL};
++    g_autoptr(GString) rpm_error = NULL;
++
+     /* open the file for reading */
+     fd = Fopen(filename, "r.fdio");
+     if (fd == NULL) {
+@@ -252,9 +278,27 @@ dnf_keyring_check_untrusted_file(rpmKeyring keyring,
+         goto out;
+     }
+ 
+-    /* we don't want to abort on missing keys */
+     ts = rpmtsCreate();
+-    rpmtsSetVSFlags(ts, _RPMVSF_NOSIGNATURES);
++
++    if (rpmtsSetKeyring(ts, keyring) < 0) {
++        g_set_error_literal(error, DNF_ERROR, DNF_ERROR_INTERNAL_ERROR, "failed to set keyring");
++        goto out;
++    }
++    rpmtsSetVfyLevel(ts, RPMSIG_SIGNATURE_TYPE);
++    rpmlogSetCallback(rpmcliverifysignatures_log_handler_cb, &rpm_error);
++
++    // rpm doesn't provide any better API call than rpmcliVerifySignatures (which is for CLI):
++    // - use path_array as input argument
++    // - gather logs via callback because we don't want to print anything if check is successful
++    if (rpmcliVerifySignatures(ts, (char * const*) path_array)) {
++        g_set_error(error,
++                DNF_ERROR,
++                DNF_ERROR_GPG_SIGNATURE_INVALID,
++                "%s could not be verified.\n%s",
++                filename,
++                (rpm_error ? rpm_error->str : "UNKNOWN ERROR"));
++        goto out;
++    }
+ 
+     /* read in the file */
+     rc = rpmReadPackageFile(ts, fd, filename, &hdr);
+@@ -318,6 +362,10 @@ dnf_keyring_check_untrusted_file(rpmKeyring keyring,
+     g_debug("%s has been verified as trusted", filename);
+     ret = TRUE;
+ out:
++    rpmlogSetCallback(NULL, NULL);
++
++    if (path != NULL)
++        g_free(path);
+     if (dig != NULL)
+         pgpFreeDig(dig);
+     if (td != NULL) {
+-- 
+2.31.0
+
diff -Nru libdnf-0.55.2/debian/patches/series libdnf-0.55.2/debian/patches/series
--- libdnf-0.55.2/debian/patches/series	2021-01-23 17:00:00.000000000 +0100
+++ libdnf-0.55.2/debian/patches/series	2021-04-14 21:26:57.000000000 +0200
@@ -11,3 +11,4 @@
 0011-Set-CMAKE_SKIP_RPATH-to-TRUE.patch
 0012-data-workaround-for-hardcoded-absolute-path-data-in-.patch
 0013-python-tests-fix-locale-issues.patch
+0014-Hardening-add-signature-check-with-rpmcliVerifySigna.patch
$

unblock libdnf/0.55.2-6

Thanks!

-- 
cheers,
	Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁       holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀   OpenPGP: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
 ⠈⠳⣄

Moral, truth, long term- and holistic thinking seem to mean nothing to us. The
emperors are naked. Every single one. It turns out our whole society is just
one big nudist party. (Greta Thunberg about the world reacting to the corona
crisis but not reacting appropriatly to the climate crisis.)

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: 986979-done@bugs.debian.org
• Subject: unblock libdnf
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Thu, 15 Apr 2021 07:50:36 +0000
• Message-id: <E1lWwlo-00063C-Ja@respighi.debian.org>

Unblocked.

--- End Message ---