Bug 1191175 (CVE-2021-3521)

Summary: VUL-1: CVE-2021-3521: rpm: RPM does not require subkeys to have a valid binding signature
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Michael Schröder <mls>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: abergmann, gabriele.sonnu, meissner, mls, smash_bz
Version: unspecifiedFlags: gabriele.sonnu: needinfo? (mls)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/311327/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-3521:4.4:(AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2021-09-30 10:07:45 UTC 
rh#1941098

RPM does not require subkeys to have a valid binding signature. This could potentially result in a signature being wrongly trusted in the following (rather contrived) scenario: A malicious subkey (to which an attacker has the secret key) is added to a legitimate public key, via a process that rejects main keys but not subkeys and does not itself check binding signatures. The main key is exported and then imported into RPM.

Statement:
To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key.  It is strongly recommended to only use RPMs and public keys from trusted sources.

Upstream commit:
https://github.com/rpm-software-management/rpm/pull/1788/commits/5641a79576acf846e51254de491f9f4581985cc5

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1941098
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3521
Comment 1 Alexander Bergmann 2021-09-30 11:28:34 UTC 
The code on SLE-11 has no pgpPrtParams function. 

In general the above statement is also valid for SLE-11.
Comment 2 Gabriele Sonnu 2021-12-24 08:33:14 UTC 
Hi, any update on this?