Bug 1065397 - (CVE-2017-14806) VUL-0: CVE-2017-14806: studio: Insecure handling of repodata and packages
VUL-0: CVE-2017-14806: studio: Insecure handling of repodata and packages
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P2 - High : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2017-10-27 07:33 UTC by Johannes Segitz
Modified: 2020-01-27 09:38 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-10-27 07:33:40 UTC
Due to 
sid/getfile-gem/ext/getfile/getfile.c  :  curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
certificates are not checked. This allows to MITM connections to the repositories.

Once in a MITM position the repodata can be modified since the gpg signature isn't verified. The packages are only checked for their checksum specified in the repo meta data, the gpg signature on the packages is not checked:
    def install_cmds packages
      packages.map do |repo_descriptor, packages|
        repo = (repo_descriptor == "general" ? nil : repo_descriptor)
        cmd = [
          "-n" ,
          ("--from" if repo),

this makes it easy to get malicious packages installed. I was able to MITM a connection while building an appliance and get a modified rpm installed without any warning.