A Linux developer has submitted a patch to fix a long-standing issue in the open source RPM package management system that can reportedly be exploited to install malicious software.
In March 2021, Dmitry Antipov, a Linux developer with CloudLinux, pointed out that unsigned packages or packages signed with revoked keys could surreptitiously be patched or updated.
"The problem is that both RPM and DNF (a package manager that installs, update and removes RPM packages) do a check to see if the key is valid and genuine, but not expired, but not for revocation," Antipov explained.
- Check our roundup of the best Linux distros
- Also check our collection of the best Linux distros for business
- Here are the best Linux laptops for running Linux
Not really a bug?
When Antiov first highlighted the issue, developer Panu Matilainen explained that RPM never had a mechanism to check for revoked certificate key handling.
"Revocation is one of the many unimplemented things in RPM's OpenPGP support. In other words, you're not seeing a bug as such; it's just not implemented at all, much like expiration is not," wrote Matilainen.
Irrespective of whether the issue fits the classical definition of a bug or not, as ZDNet points out, threat actors can exploit this behavior to use a revoked or expired key to install harmful packages.
More worryingly, even though Antipov has submitted a patch to fix this problem, because of the nature of the issue and the fix, he believes it could take several months before the issue is finally fixed.
- Subscribe to Linux Format magazine for more Linux and open source goodness
Via ZDNet
