A Linux (opens in new tab) developer has submitted a patch to fix a long-standing issue in the open source (opens in new tab) RPM package management system that can reportedly be exploited to install malicious software.
In March 2021, Dmitry Antipov, a Linux developer with CloudLinux, pointed out that unsigned packages or packages signed with revoked keys could surreptitiously be patched or updated.
"The problem is that both RPM and DNF (a package manager that installs, update and removes RPM packages) do a check to see if the key is valid and genuine, but not expired, but not for revocation," Antipov explained.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.
>> Click here to start the survey in a new window (opens in new tab) <<
- Check our roundup of the best Linux distros (opens in new tab)
- Also check our collection of the best Linux distros for business (opens in new tab)
- Here are the best Linux laptops (opens in new tab) for running Linux
Not really a bug?
When Antiov first highlighted the issue, developer Panu Matilainen explained that RPM never had a mechanism to check for revoked certificate key handling.
"Revocation is one of the many unimplemented things in RPM's OpenPGP support. In other words, you're not seeing a bug as such; it's just not implemented at all, much like expiration is not," wrote Matilainen (opens in new tab).
Irrespective of whether the issue fits the classical definition of a bug or not, as ZDNet points out, threat actors can exploit this behavior to use a revoked or expired key to install harmful packages.
More worryingly, even though Antipov has submitted a patch (opens in new tab) to fix this problem, because of the nature of the issue and the fix, he believes it could take several months before the issue is finally fixed.
- Subscribe to Linux Format magazine (opens in new tab) for more Linux and open source goodness
Via ZDNet (opens in new tab)