In March 2021, Dmitry Antipov, a Linux developer with CloudLinux, pointed out that unsigned packages or packages signed with revoked keys could surreptitiously be patched or updated.
"The problem is that both RPM and DNF (a package manager that installs, update and removes RPM packages) do a check to see if the key is valid and genuine, but not expired, but not for revocation," Antipov explained.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.
- Check our roundup of the best Linux distros
- Also check our collection of the best Linux distros for business
- Here are the best Linux laptops for running Linux
Not really a bug?
When Antiov first highlighted the issue, developer Panu Matilainen explained that RPM never had a mechanism to check for revoked certificate key handling.
"Revocation is one of the many unimplemented things in RPM's OpenPGP support. In other words, you're not seeing a bug as such; it's just not implemented at all, much like expiration is not," wrote Matilainen.
Irrespective of whether the issue fits the classical definition of a bug or not, as ZDNet points out, threat actors can exploit this behavior to use a revoked or expired key to install harmful packages.
More worryingly, even though Antipov has submitted a patch to fix this problem, because of the nature of the issue and the fix, he believes it could take several months before the issue is finally fixed.
- Subscribe to Linux Format magazine for more Linux and open source goodness