rpm: fix CVE-2021-3521

(From OE-Core rev: 68c20b12fca2c20439b18c5fd9757c2c1f1746a1) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Changqing Li <changqing.li@windriver.com> 2021-11-17 16:06:19 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-11-24 21:12:46 +0000
commit: 097c86071eabaec9db55781ada99c3d011e6ff3f (patch)
tree: 71da39161d97f487a55637de3b73cf153e08781d
parent: 24b0ee2be7ef453f8b8d43d01f39777ee886cf50 (diff)
download: poky-097c86071eabaec9db55781ada99c3d011e6ff3f.tar.gz
4 files changed, 454 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
new file mode 100644
index 0000000000..b374583017
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
@@ -0,0 +1,57 @@
+From 9a6871126f472feea057d5f803505ec8cc78f083 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:56:20 +0300
+Subject: [PATCH 1/3] Refactor pgpDigParams construction to helper function
+No functional changes, just to reduce code duplication and needed by
+the following commits.
+CVE: CVE-2021-3521
+Upstream-Staus: Backport[https://github.com/rpm-software-management/rpm/commit/9f03f42e2]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ rpmio/rpmpgp.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index d0688ebe9a..e472b5320f 100644
+--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
+@@ -1041,6 +1041,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
+     return algo;
+ }
+ 
+static pgpDigParams pgpDigParamsNew(uint8_t tag)
+{
+    pgpDigParams digp = xcalloc(1, sizeof(*digp));
+    digp->tag = tag;
+    return digp;
+}
+
+ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+                 pgpDigParams * ret)
+ {
+@@ -1058,8 +1065,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+            if (pkttype && pkt.tag != pkttype) {
+                break;
+            } else {
+-               digp = xcalloc(1, sizeof(*digp));
+-               digp->tag = pkt.tag;
+               digp = pgpDigParamsNew(pkt.tag);
+            }
+        }
+ 
+@@ -1105,8 +1111,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
+                digps = xrealloc(digps, alloced * sizeof(*digps));
+            }
+ 
+-           digps[count] = xcalloc(1, sizeof(**digps));
+-           digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
+           digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
+            /* Copy UID from main key to subkey */
+            digps[count]->userid = xstrdup(mainkey->userid);
+ 
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
new file mode 100644
index 0000000000..a8ff98fa26
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
@@ -0,0 +1,62 @@
+From c4b1bee51bbdd732b94b431a951481af99117703 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:51:10 +0300
+Subject: [PATCH 2/3] Process MPI's from all kinds of signatures
+No immediate effect but needed by the following commits.
+CVE: CVE-2021-3521
+Upstream-Status: Backport[https://github.com/rpm-software-management/rpm/commit/b5e8bc74b]
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ rpmio/rpmpgp.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index e472b5320f..57d411d1e0 100644
+--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
+@@ -515,7 +515,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
+     return NULL;
+ }
+ 
+-static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
+static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo,
+                const uint8_t *p, const uint8_t *h, size_t hlen,
+                pgpDigParams sigp)
+ {
+@@ -528,10 +528,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
+        int mpil = pgpMpiLen(p);
+        if (p + mpil > pend)
+            break;
+-       if (sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT) {
+-           if (sigalg->setmpi(sigalg, i, p))
+-               break;
+-       }
+       if (sigalg->setmpi(sigalg, i, p))
+           break;
+        p += mpil;
+     }
+ 
+@@ -604,7 +602,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
+        }
+ 
+        p = ((uint8_t *)v) + sizeof(*v);
+-       rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
+       rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
+     }  break;
+     case 4:
+     {   pgpPktSigV4 v = (pgpPktSigV4)h;
+@@ -662,7 +660,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
+        if (p > (h + hlen))
+            return 1;
+ 
+-       rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
+       rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
+     }  break;
+     default:
+        rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch
new file mode 100644
index 0000000000..d39ea7dacd
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch
@@ -0,0 +1,332 @@
+From 07676ca03ad8afcf1ca95a2353c83fbb1d970b9b Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:59:30 +0300
+Subject: [PATCH 3/3] Validate and require subkey binding signatures on PGP
+ public keys
+All subkeys must be followed by a binding signature by the primary key
+as per the OpenPGP RFC, enforce the presence and validity in the parser.
+The implementation is as kludgey as they come to work around our
+simple-minded parser structure without touching API, to maximise
+backportability. Store all the raw packets internally as we decode them
+to be able to access previous elements at will, needed to validate ordering
+and access the actual data. Add testcases for manipulated keys whose
+import previously would succeed.
+Depends on the two previous commits:
+7b399fcb8f52566e6f3b4327197a85facd08db91 and
+236b802a4aa48711823a191d1b7f753c82a89ec5
+Fixes CVE-2021-3521.
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/bd36c5dc9]
+CVE:CVE-2021-3521
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ rpmio/rpmpgp.c                                | 100 ++++++++++++++++--
+ tests/Makefile.am                             |   3 +
+ tests/data/keys/CVE-2021-3521-badbind.asc     |  25 +++++
+ .../data/keys/CVE-2021-3521-nosubsig-last.asc |  25 +++++
+ tests/data/keys/CVE-2021-3521-nosubsig.asc    |  37 +++++++
+ tests/rpmsigdig.at                            |  28 +++++
+ 6 files changed, 211 insertions(+), 7 deletions(-)
+ create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
+ create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+ create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index 57d411d1e0..b12410d671 100644
+--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
+@@ -1046,35 +1046,121 @@ static pgpDigParams pgpDigParamsNew(uint8_t tag)
+     return digp;
+ }
+ 
+static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag)
+{
+    int rc = -1;
+    if (pkt->tag == exptag) {
+       uint8_t head[] = {
+           0x99,
+           (pkt->blen >> 8),
+           (pkt->blen     ),
+       };
+
+       rpmDigestUpdate(hash, head, 3);
+       rpmDigestUpdate(hash, pkt->body, pkt->blen);
+       rc = 0;
+    }
+    return rc;
+}
+
+static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig,
+                       const struct pgpPkt *all, int i)
+{
+    int rc = -1;
+    DIGEST_CTX hash = NULL;
+
+    switch (selfsig->sigtype) {
+    case PGPSIGTYPE_SUBKEY_BINDING:
+       hash = rpmDigestInit(selfsig->hash_algo, 0);
+       if (hash) {
+           rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY);
+           if (!rc)
+               rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY);
+       }
+       break;
+    default:
+       /* ignore types we can't handle */
+       rc = 0;
+       break;
+    }
+
+    if (hash && rc == 0)
+       rc = pgpVerifySignature(key, selfsig, hash);
+
+    rpmDigestFinal(hash, NULL, NULL, 0);
+
+    return rc;
+}
+
+ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+                 pgpDigParams * ret)
+ {
+     const uint8_t *p = pkts;
+     const uint8_t *pend = pkts + pktlen;
+     pgpDigParams digp = NULL;
+-    struct pgpPkt pkt;
+    pgpDigParams selfsig = NULL;
+    int i = 0;
+    int alloced = 16; /* plenty for normal cases */
+    struct pgpPkt *all = xmalloc(alloced * sizeof(*all));
+     int rc = -1; /* assume failure */
+    int expect = 0;
+    int prevtag = 0;
+ 
+     while (p < pend) {
+-       if (decodePkt(p, (pend - p), &pkt))
+       struct pgpPkt *pkt = &all[i];
+       if (decodePkt(p, (pend - p), pkt))
+            break;
+ 
+        if (digp == NULL) {
+-           if (pkttype && pkt.tag != pkttype) {
+           if (pkttype && pkt->tag != pkttype) {
+                break;
+            } else {
+-               digp = pgpDigParamsNew(pkt.tag);
+               digp = pgpDigParamsNew(pkt->tag);
+            }
+        }
+ 
+-       if (pgpPrtPkt(&pkt, digp))
+       if (expect) {
+           if (pkt->tag != expect)
+               break;
+           selfsig = pgpDigParamsNew(pkt->tag);
+       }
+
+       if (pgpPrtPkt(pkt, selfsig ? selfsig : digp))
+            break;
+ 
+-       p += (pkt.body - pkt.head) + pkt.blen;
+       if (selfsig) {
+           /* subkeys must be followed by binding signature */
+           if (prevtag == PGPTAG_PUBLIC_SUBKEY) {
+               if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING)
+                   break;
+           }
+
+           int xx = pgpVerifySelf(digp, selfsig, all, i);
+
+           selfsig = pgpDigParamsFree(selfsig);
+           if (xx)
+               break;
+           expect = 0;
+       }
+
+       if (pkt->tag == PGPTAG_PUBLIC_SUBKEY)
+           expect = PGPTAG_SIGNATURE;
+       prevtag = pkt->tag;
+
+       i++;
+       p += (pkt->body - pkt->head) + pkt->blen;
+       if (pkttype == PGPTAG_SIGNATURE)
+           break;
+
+       if (alloced <= i) {
+           alloced *= 2;
+           all = xrealloc(all, alloced * sizeof(*all));
+       }
+     }
+ 
+-    rc = (digp && (p == pend)) ? 0 : -1;
+    rc = (digp && (p == pend) && expect == 0) ? 0 : -1;
+ 
+    free(all);
+     if (ret && rc == 0) {
+        *ret = digp;
+     } else {
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index f742a9e1d2..328234278a 100644
+--- a/tests/Makefile.am
+++ b/tests/Makefile.am
+@@ -107,6 +107,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec
+ EXTRA_DIST += data/SPECS/hello-cd.spec
+ EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub
+ EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret
+EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc
+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig.asc
+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig-last.asc
+ EXTRA_DIST += data/macros.testfile
+ EXTRA_DIST += data/macros.debug
+ EXTRA_DIST += data/SOURCES/foo.c
+diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc
+new file mode 100644
+index 0000000000..aea00f9d7a
+--- /dev/null
+++ b/tests/data/keys/CVE-2021-3521-badbind.asc
+@@ -0,0 +1,25 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: rpm-4.17.90 (NSS-3)
+
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
+=WCfs
+-----END PGP PUBLIC KEY BLOCK-----
+
+diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+new file mode 100644
+index 0000000000..aea00f9d7a
+--- /dev/null
+++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+@@ -0,0 +1,25 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: rpm-4.17.90 (NSS-3)
+
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
+=WCfs
+-----END PGP PUBLIC KEY BLOCK-----
+
+diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc
+new file mode 100644
+index 0000000000..3a2e7417f8
+--- /dev/null
+++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc
+@@ -0,0 +1,37 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: rpm-4.17.90 (NSS-3)
+
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4
+VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En
+uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ
+8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF
+v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/
+qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB
+Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j
+mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos
+3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ
+zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX
+Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ
+gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ
+E4XX4jtDmdZPreZALsiB
+=rRop
+-----END PGP PUBLIC KEY BLOCK-----
+
+diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
+index e1a3ab062a..705fc58705 100644
+--- a/tests/rpmsigdig.at
+++ b/tests/rpmsigdig.at
+@@ -240,6 +240,34 @@ gpg(185e6146f00650f8) = 4:185e6146f00650f8-58e63918
+ [])
+ AT_CLEANUP
+ 
+AT_SETUP([rpmkeys --import invalid keys])
+AT_KEYWORDS([rpmkeys import])
+RPMDB_INIT
+
+AT_CHECK([
+runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc
+],
+[1],
+[],
+[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.]
+)
+AT_CHECK([
+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc
+],
+[1],
+[],
+[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.]
+)
+
+AT_CHECK([
+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc
+],
+[1],
+[],
+[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.]
+)
+AT_CLEANUP
+
+ # ------------------------------
+ # Test pre-built package verification
+ AT_SETUP([rpmkeys -K <signed> 1])
+-- 
+2.17.1
diff --git a/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb b/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
index 62da3d2095..5a347953fa 100644
--- a/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
@@ -41,6 +41,9 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.16.x;protoc
           file://0001-lib-transaction.c-fix-file-conflicts-for-MIPS64-N32.patch \
           file://0001-tools-Add-error.h-for-non-glibc-case.patch \
           file://0001-build-pack.c-do-not-insert-payloadflags-into-.rpm-me.patch \
+           file://0001-CVE-2021-3521.patch \
+           file://0002-CVE-2021-3521.patch \
+           file://0003-CVE-2021-3521.patch \
           "
 PE = "1"
author	Changqing Li <changqing.li@windriver.com>	2021-11-17 16:06:19 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-11-24 21:12:46 +0000
commit	097c86071eabaec9db55781ada99c3d011e6ff3f (patch)
tree	71da39161d97f487a55637de3b73cf153e08781d
parent	24b0ee2be7ef453f8b8d43d01f39777ee886cf50 (diff)
download	poky-097c86071eabaec9db55781ada99c3d011e6ff3f.tar.gz

diff --git a/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch new file mode 100644 index 0000000000..b374583017 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/0001-CVE-2021-3521.patch
@@ -0,0 +1,57 @@
		1	From 9a6871126f472feea057d5f803505ec8cc78f083 Mon Sep 17 00:00:00 2001
		2	From: Panu Matilainen <pmatilai@redhat.com>
		3	Date: Thu, 30 Sep 2021 09:56:20 +0300
		4	Subject: [PATCH 1/3] Refactor pgpDigParams construction to helper function
		5
		6	No functional changes, just to reduce code duplication and needed by
		7	the following commits.
		8
		9	CVE: CVE-2021-3521
		10	Upstream-Staus: Backport[https://github.com/rpm-software-management/rpm/commit/9f03f42e2]
		11
		12	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		13	---
		14	rpmio/rpmpgp.c \| 13 +++++++++----
		15	1 file changed, 9 insertions(+), 4 deletions(-)
		16
		17	diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
		18	index d0688ebe9a..e472b5320f 100644
		19	--- a/rpmio/rpmpgp.c
		20	+++ b/rpmio/rpmpgp.c
		21	@@ -1041,6 +1041,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
		22	return algo;
		23	}
		24
		25	+static pgpDigParams pgpDigParamsNew(uint8_t tag)
		26	+{
		27	+ pgpDigParams digp = xcalloc(1, sizeof(*digp));
		28	+ digp->tag = tag;
		29	+ return digp;
		30	+}
		31	+
		32	int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
		33	pgpDigParams * ret)
		34	{
		35	@@ -1058,8 +1065,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
		36	if (pkttype && pkt.tag != pkttype) {
		37	break;
		38	} else {
		39	- digp = xcalloc(1, sizeof(*digp));
		40	- digp->tag = pkt.tag;
		41	+ digp = pgpDigParamsNew(pkt.tag);
		42	}
		43	}
		44
		45	@@ -1105,8 +1111,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
		46	digps = xrealloc(digps, alloced * sizeof(*digps));
		47	}
		48
		49	- digps[count] = xcalloc(1, sizeof(**digps));
		50	- digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
		51	+ digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
		52	/* Copy UID from main key to subkey */
		53	digps[count]->userid = xstrdup(mainkey->userid);
		54
		55	--
		56	2.17.1
		57


diff --git a/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch new file mode 100644 index 0000000000..a8ff98fa26 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/0002-CVE-2021-3521.patch
@@ -0,0 +1,62 @@
		1	From c4b1bee51bbdd732b94b431a951481af99117703 Mon Sep 17 00:00:00 2001
		2	From: Panu Matilainen <pmatilai@redhat.com>
		3	Date: Thu, 30 Sep 2021 09:51:10 +0300
		4	Subject: [PATCH 2/3] Process MPI's from all kinds of signatures
		5
		6	No immediate effect but needed by the following commits.
		7
		8	CVE: CVE-2021-3521
		9	Upstream-Status: Backport[https://github.com/rpm-software-management/rpm/commit/b5e8bc74b]
		10
		11	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		12	---
		13	rpmio/rpmpgp.c \| 12 +++++-------
		14	1 file changed, 5 insertions(+), 7 deletions(-)
		15
		16	diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
		17	index e472b5320f..57d411d1e0 100644
		18	--- a/rpmio/rpmpgp.c
		19	+++ b/rpmio/rpmpgp.c
		20	@@ -515,7 +515,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
		21	return NULL;
		22	}
		23
		24	-static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
		25	+static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo,
		26	const uint8_t p, const uint8_t h, size_t hlen,
		27	pgpDigParams sigp)
		28	{
		29	@@ -528,10 +528,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
		30	int mpil = pgpMpiLen(p);
		31	if (p + mpil > pend)
		32	break;
		33	- if (sigtype == PGPSIGTYPE_BINARY \|\| sigtype == PGPSIGTYPE_TEXT) {
		34	- if (sigalg->setmpi(sigalg, i, p))
		35	- break;
		36	- }
		37	+ if (sigalg->setmpi(sigalg, i, p))
		38	+ break;
		39	p += mpil;
		40	}
		41
		42	@@ -604,7 +602,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
		43	}
		44
		45	p = ((uint8_t )v) + sizeof(v);
		46	- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
		47	+ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
		48	} break;
		49	case 4:
		50	{ pgpPktSigV4 v = (pgpPktSigV4)h;
		51	@@ -662,7 +660,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
		52	if (p > (h + hlen))
		53	return 1;
		54
		55	- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
		56	+ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
		57	} break;
		58	default:
		59	rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);
		60	--
		61	2.17.1
		62


diff --git a/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch new file mode 100644 index 0000000000..d39ea7dacd --- /dev/null +++ b/meta/recipes-devtools/rpm/files/0003-CVE-2021-3521.patch
@@ -0,0 +1,332 @@
		1	From 07676ca03ad8afcf1ca95a2353c83fbb1d970b9b Mon Sep 17 00:00:00 2001
		2	From: Panu Matilainen <pmatilai@redhat.com>
		3	Date: Thu, 30 Sep 2021 09:59:30 +0300
		4	Subject: [PATCH 3/3] Validate and require subkey binding signatures on PGP
		5	public keys
		6
		7	All subkeys must be followed by a binding signature by the primary key
		8	as per the OpenPGP RFC, enforce the presence and validity in the parser.
		9
		10	The implementation is as kludgey as they come to work around our
		11	simple-minded parser structure without touching API, to maximise
		12	backportability. Store all the raw packets internally as we decode them
		13	to be able to access previous elements at will, needed to validate ordering
		14	and access the actual data. Add testcases for manipulated keys whose
		15	import previously would succeed.
		16
		17	Depends on the two previous commits:
		18	7b399fcb8f52566e6f3b4327197a85facd08db91 and
		19	236b802a4aa48711823a191d1b7f753c82a89ec5
		20
		21	Fixes CVE-2021-3521.
		22
		23	Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/bd36c5dc9]
		24	CVE:CVE-2021-3521
		25
		26	Signed-off-by: Changqing Li <changqing.li@windriver.com>
		27	---
		28	rpmio/rpmpgp.c \| 100 ++++++++++++++++--
		29	tests/Makefile.am \| 3 +
		30	tests/data/keys/CVE-2021-3521-badbind.asc \| 25 +++++
		31	.../data/keys/CVE-2021-3521-nosubsig-last.asc \| 25 +++++
		32	tests/data/keys/CVE-2021-3521-nosubsig.asc \| 37 +++++++
		33	tests/rpmsigdig.at \| 28 +++++
		34	6 files changed, 211 insertions(+), 7 deletions(-)
		35	create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
		36	create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
		37	create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
		38
		39	diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
		40	index 57d411d1e0..b12410d671 100644
		41	--- a/rpmio/rpmpgp.c
		42	+++ b/rpmio/rpmpgp.c
		43	@@ -1046,35 +1046,121 @@ static pgpDigParams pgpDigParamsNew(uint8_t tag)
		44	return digp;
		45	}
		46
		47	+static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag)
		48	+{
		49	+ int rc = -1;
		50	+ if (pkt->tag == exptag) {
		51	+ uint8_t head[] = {
		52	+ 0x99,
		53	+ (pkt->blen >> 8),
		54	+ (pkt->blen ),
		55	+ };
		56	+
		57	+ rpmDigestUpdate(hash, head, 3);
		58	+ rpmDigestUpdate(hash, pkt->body, pkt->blen);
		59	+ rc = 0;
		60	+ }
		61	+ return rc;
		62	+}
		63	+
		64	+static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig,
		65	+ const struct pgpPkt *all, int i)
		66	+{
		67	+ int rc = -1;
		68	+ DIGEST_CTX hash = NULL;
		69	+
		70	+ switch (selfsig->sigtype) {
		71	+ case PGPSIGTYPE_SUBKEY_BINDING:
		72	+ hash = rpmDigestInit(selfsig->hash_algo, 0);
		73	+ if (hash) {
		74	+ rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY);
		75	+ if (!rc)
		76	+ rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY);
		77	+ }
		78	+ break;
		79	+ default:
		80	+ /* ignore types we can't handle */
		81	+ rc = 0;
		82	+ break;
		83	+ }
		84	+
		85	+ if (hash && rc == 0)
		86	+ rc = pgpVerifySignature(key, selfsig, hash);
		87	+
		88	+ rpmDigestFinal(hash, NULL, NULL, 0);
		89	+
		90	+ return rc;
		91	+}
		92	+
		93	int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
		94	pgpDigParams * ret)
		95	{
		96	const uint8_t *p = pkts;
		97	const uint8_t *pend = pkts + pktlen;
		98	pgpDigParams digp = NULL;
		99	- struct pgpPkt pkt;
		100	+ pgpDigParams selfsig = NULL;
		101	+ int i = 0;
		102	+ int alloced = 16; /* plenty for normal cases */
		103	+ struct pgpPkt all = xmalloc(alloced sizeof(*all));
		104	int rc = -1; /* assume failure */
		105	+ int expect = 0;
		106	+ int prevtag = 0;
		107
		108	while (p < pend) {
		109	- if (decodePkt(p, (pend - p), &pkt))
		110	+ struct pgpPkt *pkt = &all[i];
		111	+ if (decodePkt(p, (pend - p), pkt))
		112	break;
		113
		114	if (digp == NULL) {
		115	- if (pkttype && pkt.tag != pkttype) {
		116	+ if (pkttype && pkt->tag != pkttype) {
		117	break;
		118	} else {
		119	- digp = pgpDigParamsNew(pkt.tag);
		120	+ digp = pgpDigParamsNew(pkt->tag);
		121	}
		122	}
		123
		124	- if (pgpPrtPkt(&pkt, digp))
		125	+ if (expect) {
		126	+ if (pkt->tag != expect)
		127	+ break;
		128	+ selfsig = pgpDigParamsNew(pkt->tag);
		129	+ }
		130	+
		131	+ if (pgpPrtPkt(pkt, selfsig ? selfsig : digp))
		132	break;
		133
		134	- p += (pkt.body - pkt.head) + pkt.blen;
		135	+ if (selfsig) {
		136	+ /* subkeys must be followed by binding signature */
		137	+ if (prevtag == PGPTAG_PUBLIC_SUBKEY) {
		138	+ if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING)
		139	+ break;
		140	+ }
		141	+
		142	+ int xx = pgpVerifySelf(digp, selfsig, all, i);
		143	+
		144	+ selfsig = pgpDigParamsFree(selfsig);
		145	+ if (xx)
		146	+ break;
		147	+ expect = 0;
		148	+ }
		149	+
		150	+ if (pkt->tag == PGPTAG_PUBLIC_SUBKEY)
		151	+ expect = PGPTAG_SIGNATURE;
		152	+ prevtag = pkt->tag;
		153	+
		154	+ i++;
		155	+ p += (pkt->body - pkt->head) + pkt->blen;
		156	+ if (pkttype == PGPTAG_SIGNATURE)
		157	+ break;
		158	+
		159	+ if (alloced <= i) {
		160	+ alloced *= 2;
		161	+ all = xrealloc(all, alloced * sizeof(*all));
		162	+ }
		163	}
		164
		165	- rc = (digp && (p == pend)) ? 0 : -1;
		166	+ rc = (digp && (p == pend) && expect == 0) ? 0 : -1;
		167
		168	+ free(all);
		169	if (ret && rc == 0) {
		170	*ret = digp;
		171	} else {
		172	diff --git a/tests/Makefile.am b/tests/Makefile.am
		173	index f742a9e1d2..328234278a 100644
		174	--- a/tests/Makefile.am
		175	+++ b/tests/Makefile.am
		176	@@ -107,6 +107,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec
		177	EXTRA_DIST += data/SPECS/hello-cd.spec
		178	EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub
		179	EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret
		180	+EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc
		181	+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig.asc
		182	+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig-last.asc
		183	EXTRA_DIST += data/macros.testfile
		184	EXTRA_DIST += data/macros.debug
		185	EXTRA_DIST += data/SOURCES/foo.c
		186	diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc
		187	new file mode 100644
		188	index 0000000000..aea00f9d7a
		189	--- /dev/null
		190	+++ b/tests/data/keys/CVE-2021-3521-badbind.asc
		191	@@ -0,0 +1,25 @@
		192	+-----BEGIN PGP PUBLIC KEY BLOCK-----
		193	+Version: rpm-4.17.90 (NSS-3)
		194	+
		195	+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
		196	+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
		197	+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
		198	+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
		199	+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
		200	+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
		201	+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
		202	+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
		203	+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
		204	+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
		205	+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
		206	+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
		207	++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
		208	+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
		209	+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
		210	+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
		211	+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
		212	+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
		213	+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
		214	+=WCfs
		215	+-----END PGP PUBLIC KEY BLOCK-----
		216	+
		217	diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
		218	new file mode 100644
		219	index 0000000000..aea00f9d7a
		220	--- /dev/null
		221	+++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
		222	@@ -0,0 +1,25 @@
		223	+-----BEGIN PGP PUBLIC KEY BLOCK-----
		224	+Version: rpm-4.17.90 (NSS-3)
		225	+
		226	+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
		227	+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
		228	+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
		229	+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
		230	+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
		231	+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
		232	+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
		233	+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
		234	+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
		235	+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
		236	+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
		237	+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
		238	++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
		239	+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
		240	+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
		241	+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
		242	+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
		243	+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
		244	+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
		245	+=WCfs
		246	+-----END PGP PUBLIC KEY BLOCK-----
		247	+
		248	diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc
		249	new file mode 100644
		250	index 0000000000..3a2e7417f8
		251	--- /dev/null
		252	+++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc
		253	@@ -0,0 +1,37 @@
		254	+-----BEGIN PGP PUBLIC KEY BLOCK-----
		255	+Version: rpm-4.17.90 (NSS-3)
		256	+
		257	+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
		258	+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
		259	+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
		260	+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
		261	+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
		262	+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
		263	+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
		264	+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
		265	+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
		266	+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
		267	+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
		268	+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
		269	++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
		270	+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
		271	+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
		272	+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
		273	+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
		274	+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
		275	+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4
		276	+VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En
		277	+uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ
		278	+8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF
		279	+v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/
		280	+qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB
		281	+Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j
		282	+mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos
		283	+3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ
		284	+zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX
		285	+Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ
		286	+gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ
		287	+E4XX4jtDmdZPreZALsiB
		288	+=rRop
		289	+-----END PGP PUBLIC KEY BLOCK-----
		290	+
		291	diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
		292	index e1a3ab062a..705fc58705 100644
		293	--- a/tests/rpmsigdig.at
		294	+++ b/tests/rpmsigdig.at
		295	@@ -240,6 +240,34 @@ gpg(185e6146f00650f8) = 4:185e6146f00650f8-58e63918
		296	[])
		297	AT_CLEANUP
		298
		299	+AT_SETUP([rpmkeys --import invalid keys])
		300	+AT_KEYWORDS([rpmkeys import])
		301	+RPMDB_INIT
		302	+
		303	+AT_CHECK([
		304	+runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc
		305	+],
		306	+[1],
		307	+[],
		308	+[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.]
		309	+)
		310	+AT_CHECK([
		311	+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc
		312	+],
		313	+[1],
		314	+[],
		315	+[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.]
		316	+)
		317	+
		318	+AT_CHECK([
		319	+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc
		320	+],
		321	+[1],
		322	+[],
		323	+[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.]
		324	+)
		325	+AT_CLEANUP
		326	+
		327	# ------------------------------
		328	# Test pre-built package verification
		329	AT_SETUP([rpmkeys -K <signed> 1])
		330	--
		331	2.17.1
		332


diff --git a/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb b/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb index 62da3d2095..5a347953fa 100644 --- a/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb +++ b/meta/recipes-devtools/rpm/rpm_4.16.1.3.bb
@@ -41,6 +41,9 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.16.x;protoc
41	file://0001-lib-transaction.c-fix-file-conflicts-for-MIPS64-N32.patch \	41	file://0001-lib-transaction.c-fix-file-conflicts-for-MIPS64-N32.patch \
42	file://0001-tools-Add-error.h-for-non-glibc-case.patch \	42	file://0001-tools-Add-error.h-for-non-glibc-case.patch \
43	file://0001-build-pack.c-do-not-insert-payloadflags-into-.rpm-me.patch \	43	file://0001-build-pack.c-do-not-insert-payloadflags-into-.rpm-me.patch \
		44	file://0001-CVE-2021-3521.patch \
		45	file://0002-CVE-2021-3521.patch \
		46	file://0003-CVE-2021-3521.patch \
44	"	47	"
45		48
46	PE = "1"	49	PE = "1"