First Last Prev Next    This bug is not in your last search results.
Bug 1065397 - (CVE-2017-14806) VUL-0: CVE-2017-14806: studio: Insecure handling of repodata and packages
(CVE-2017-14806)
VUL-0: CVE-2017-14806: studio: Insecure handling of repodata and packages
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:SUSE:CVE-2017-14806:8.1:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-27 07:33 UTC by Johannes Segitz
Modified: 2020-01-27 09:38 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-10-27 07:33:40 UTC 
Due to 
sid/getfile-gem/ext/getfile/getfile.c  :  curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
certificates are not checked. This allows to MITM connections to the repositories.

Once in a MITM position the repodata can be modified since the gpg signature isn't verified. The packages are only checked for their checksum specified in the repo meta data, the gpg signature on the packages is not checked:
    def install_cmds packages
      packages.map do |repo_descriptor, packages|
        repo = (repo_descriptor == "general" ? nil : repo_descriptor)
        cmd = [
          "sudo",
          "zypper",
          "-vvv",
          "-n" ,
          "--no-gpg-checks",
          "install",
          "--auto-agree-with-licenses",
          ("--from" if repo),

this makes it easy to get malicious packages installed. I was able to MITM a connection while building an appliance and get a modified rpm installed without any warning.
First Last Prev Next    This bug is not in your last search results.