rpm: Fix rpm CVE CVE-2021-3521

Links: Dependent Patches: CVE-2021-3521-01 https://github.com/rpm-software-management/rpm/commit/b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8 CVE-2021-3521-02 https://github.com/rpm-software-management/rpm/commit/9f03f42e2614a68f589f9db8fe76287146522c0c CVE-2021-3521-03 https://github.com/rpm-software-management/rpm/commit/5ff86764b17f31535cb247543a90dd739076ec38 CVE-2021-3521 https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8 (From OE-Core rev: ddb4f775a86855e4ddc6c0d0d1f24a55e0ecbfe0) Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Riyaz Khan <Riyaz.Khan@kpit.com> 2022-12-06 12:08:26 +0530
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-12-23 23:05:44 +0000
commit: 80e00ba9b9812272abff8d2687e27e98bf2f48f3 (patch)
tree: eccd74d70da890690696762d94c65fe10bfe80eb /meta/recipes-devtools
parent: cc26cf0eb4cff522aa69523346672d54604397da (diff)
download: poky-80e00ba9b9812272abff8d2687e27e98bf2f48f3.tar.gz
5 files changed, 483 insertions, 0 deletions
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch
new file mode 100644
index 0000000000..0882d6f310
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch
@@ -0,0 +1,60 @@
+From b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:51:10 +0300
+Subject: [PATCH] Process MPI's from all kinds of signatures
+No immediate effect but needed by the following commits.
+Dependent patch:
+CVE: CVE-2021-3521
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8]
+Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
+---
+ rpmio/rpmpgp.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index ee5c81e246..340de5fc9a 100644
+--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
+@@ -511,7 +511,7 @@  pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
+     return NULL;
+ }
+ 
+-static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
+static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo,
+                const uint8_t *p, const uint8_t *h, size_t hlen,
+                pgpDigParams sigp)
+ {
+@@ -524,10 +524,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
+        int mpil = pgpMpiLen(p);
+        if (p + mpil > pend)
+            break;
+-       if (sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT) {
+-           if (sigalg->setmpi(sigalg, i, p))
+-               break;
+-       }
+        if (sigalg->setmpi(sigalg, i, p))
+           break;
+        p += mpil;
+     }
+ 
+@@ -600,7 +598,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
+        }
+ 
+        p = ((uint8_t *)v) + sizeof(*v);
+-       rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
+       rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
+     }  break;
+     case 4:
+     {   pgpPktSigV4 v = (pgpPktSigV4)h;
+@@ -658,7 +656,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
+        if (p > (h + hlen))
+            return 1;
+ 
+-       rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
+       rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
+     }  break;
+     default:
+        rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch
new file mode 100644
index 0000000000..c5f88a8c72
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch
@@ -0,0 +1,55 @@
+From 9f03f42e2614a68f589f9db8fe76287146522c0c Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:56:20 +0300
+Subject: [PATCH] Refactor pgpDigParams construction to helper function
+No functional changes, just to reduce code duplication and needed by
+the following commits.
+Dependent patch:
+CVE: CVE-2021-3521
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/9f03f42e2614a68f589f9db8fe76287146522c0c]
+Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
+---
+ rpmio/rpmpgp.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index 340de5fc9a..aad7c275c9 100644
+--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
+@@ -1055,6 +1055,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
+     return algo;
+ }
+ 
+static pgpDigParams pgpDigParamsNew(uint8_t tag)
+{
+    pgpDigParams digp = xcalloc(1, sizeof(*digp));
+    digp->tag = tag;
+    return digp;
+}
+
+ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+                 pgpDigParams * ret)
+ {
+@@ -1072,8 +1079,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+            if (pkttype && pkt.tag != pkttype) {
+                break;
+            } else {
+-               digp = xcalloc(1, sizeof(*digp));
+-               digp->tag = pkt.tag;
+               digp = pgpDigParamsNew(pkt.tag);
+            }
+        }
+ 
+@@ -1121,8 +1127,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
+                digps = xrealloc(digps, alloced * sizeof(*digps));
+            }
+ 
+-           digps[count] = xcalloc(1, sizeof(**digps));
+-           digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
+           digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
+            /* Copy UID from main key to subkey */
+            digps[count]->userid = xstrdup(mainkey->userid);
+ 
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch
new file mode 100644
index 0000000000..fd31f11beb
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch
@@ -0,0 +1,34 @@
+From 5ff86764b17f31535cb247543a90dd739076ec38 Mon Sep 17 00:00:00 2001
+From: Demi Marie Obenour <demi@invisiblethingslab.com>
+Date: Thu, 6 May 2021 18:34:45 -0400
+Subject: [PATCH] Do not allow extra packets to follow a signature
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+According to RFC 4880 § 11.4, a detached signature is “simply a
+Signature packet”.  Therefore, extra packets following a detached
+signature are not allowed.
+Dependent patch:
+CVE: CVE-2021-3521
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/5ff86764b17f31535cb247543a90dd739076ec38]
+Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
+---
+ rpmio/rpmpgp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index f1a99e7169..5b346a8253 100644
+--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
+@@ -1068,6 +1068,8 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+            break;
+ 
+        p += (pkt.body - pkt.head) + pkt.blen;
+       if (pkttype == PGPTAG_SIGNATURE)
+           break;
+     }
+ 
+     rc = (digp && (p == pend)) ? 0 : -1;
diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch
new file mode 100644
index 0000000000..cb9e9842fe
--- /dev/null
+++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch
@@ -0,0 +1,330 @@
+From bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8 Mon Sep 17 00:00:00 2001
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Thu, 30 Sep 2021 09:59:30 +0300
+Subject: [PATCH] Validate and require subkey binding signatures on PGP public
+ keys
+All subkeys must be followed by a binding signature by the primary key
+as per the OpenPGP RFC, enforce the presence and validity in the parser.
+The implementation is as kludgey as they come to work around our
+simple-minded parser structure without touching API, to maximise
+backportability. Store all the raw packets internally as we decode them
+to be able to access previous elements at will, needed to validate ordering
+and access the actual data. Add testcases for manipulated keys whose
+import previously would succeed.
+Depends on the two previous commits:
+7b399fcb8f52566e6f3b4327197a85facd08db91 and
+236b802a4aa48711823a191d1b7f753c82a89ec5
+CVE: CVE-2021-3521
+Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8]
+Comment: Hunk refreshed
+Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
+Fixes CVE-2021-3521.
+---
+ rpmio/rpmpgp.c                                | 98 +++++++++++++++++--
+ tests/Makefile.am                             |  3 +
+ tests/data/keys/CVE-2021-3521-badbind.asc     | 25 +++++
+ .../data/keys/CVE-2021-3521-nosubsig-last.asc | 25 +++++
+ tests/data/keys/CVE-2021-3521-nosubsig.asc    | 37 +++++++
+ tests/rpmsigdig.at                            | 28 ++++++
+ 6 files changed, 209 insertions(+), 7 deletions(-)
+ create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
+ create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+ create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
+diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
+index aad7c275c9..d70802ae86 100644
+--- a/rpmio/rpmpgp.c
+++ b/rpmio/rpmpgp.c
+@@ -1004,37 +1004,121 @@  static pgpDigParams pgpDigParamsNew(uint8_t tag)
+     return digp;
+ }
+ 
+static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag)
+{
+    int rc = -1;
+    if (pkt->tag == exptag) {
+       uint8_t head[] = {
+           0x99,
+           (pkt->blen >> 8),
+           (pkt->blen     ),
+       };
+
+       rpmDigestUpdate(hash, head, 3);
+       rpmDigestUpdate(hash, pkt->body, pkt->blen);
+       rc = 0;
+    }
+    return rc;
+}
+
+static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig,
+                       const struct pgpPkt *all, int i)
+{
+    int rc = -1;
+    DIGEST_CTX hash = NULL;
+
+    switch (selfsig->sigtype) {
+    case PGPSIGTYPE_SUBKEY_BINDING:
+       hash = rpmDigestInit(selfsig->hash_algo, 0);
+       if (hash) {
+           rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY);
+           if (!rc)
+               rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY);
+       }
+       break;
+    default:
+       /* ignore types we can't handle */
+       rc = 0;
+       break;
+    }
+
+    if (hash && rc == 0)
+       rc = pgpVerifySignature(key, selfsig, hash);
+
+    rpmDigestFinal(hash, NULL, NULL, 0);
+
+    return rc;
+}
+
+ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
+                 pgpDigParams * ret)
+ {
+     const uint8_t *p = pkts;
+     const uint8_t *pend = pkts + pktlen;
+     pgpDigParams digp = NULL;
+-    struct pgpPkt pkt;
+    pgpDigParams selfsig = NULL;
+    int i = 0;
+    int alloced = 16; /* plenty for normal cases */
+    struct pgpPkt *all = xmalloc(alloced * sizeof(*all));
+     int rc = -1; /* assume failure */
+    int expect = 0;
+    int prevtag = 0;
+ 
+     while (p < pend) {
+-       if (decodePkt(p, (pend - p), &pkt))
+       struct pgpPkt *pkt = &all[i];
+       if (decodePkt(p, (pend - p), pkt))
+            break;
+ 
+        if (digp == NULL) {
+-           if (pkttype && pkt.tag != pkttype) {
+           if (pkttype && pkt->tag != pkttype) {
+                break;
+            } else {
+-               digp = pgpDigParamsNew(pkt.tag);
+               digp = pgpDigParamsNew(pkt->tag);
+            }
+        }
+ 
+-       if (pgpPrtPkt(&pkt, digp))
+       if (expect) {
+           if (pkt->tag != expect)
+               break;
+           selfsig = pgpDigParamsNew(pkt->tag);
+       }
+
+       if (pgpPrtPkt(pkt, selfsig ? selfsig : digp))
+            break;
+ 
+-       p += (pkt.body - pkt.head) + pkt.blen;
+       if (selfsig) {
+           /* subkeys must be followed by binding signature */
+           if (prevtag == PGPTAG_PUBLIC_SUBKEY) {
+               if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING)
+                   break;
+           }
+
+           int xx = pgpVerifySelf(digp, selfsig, all, i);
+
+           selfsig = pgpDigParamsFree(selfsig);
+           if (xx)
+               break;
+           expect = 0;
+       }
+
+       if (pkt->tag == PGPTAG_PUBLIC_SUBKEY)
+           expect = PGPTAG_SIGNATURE;
+       prevtag = pkt->tag;
+
+       i++;
+       p += (pkt->body - pkt->head) + pkt->blen;
+        if (pkttype == PGPTAG_SIGNATURE)
+            break;
+
+       if (alloced <= i) {
+           alloced *= 2;
+           all = xrealloc(all, alloced * sizeof(*all));
+       }
+     }
+ 
+-    rc = (digp && (p == pend)) ? 0 : -1;
+    rc = (digp && (p == pend) && expect == 0) ? 0 : -1;
+ 
+    free(all);
+     if (ret && rc == 0) {
+        *ret = digp;
+     } else {
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index b4a2e2e1ce..bc535d2833 100644
+--- a/tests/Makefile.am
+++ b/tests/Makefile.am
+@@ -87,6 +87,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec
+ EXTRA_DIST += data/SPECS/hello-cd.spec
+ EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub
+ EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret
+EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc
+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig.asc
+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig-last.asc
+ EXTRA_DIST += data/macros.testfile
+ # testsuite voodoo
+diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc
+new file mode 100644
+index 0000000000..aea00f9d7a
+--- /dev/null
+++ b/tests/data/keys/CVE-2021-3521-badbind.asc
+@@ -0,0 +1,25 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: rpm-4.17.90 (NSS-3)
+
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
+=WCfs
+-----END PGP PUBLIC KEY BLOCK-----
+
+diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+new file mode 100644
+index 0000000000..aea00f9d7a
+--- /dev/null
+++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
+@@ -0,0 +1,25 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: rpm-4.17.90 (NSS-3)
+
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
+=WCfs
+-----END PGP PUBLIC KEY BLOCK-----
+
+diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc
+new file mode 100644
+index 0000000000..3a2e7417f8
+--- /dev/null
+++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc
+@@ -0,0 +1,37 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: rpm-4.17.90 (NSS-3)
+
+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4
+VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En
+uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ
+8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF
+v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/
+qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB
+Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j
+mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos
+3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ
+zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX
+Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ
+gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ
+E4XX4jtDmdZPreZALsiB
+=rRop
+-----END PGP PUBLIC KEY BLOCK-----
+
+diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
+index 0f8f2b4884..c8b9f139e1 100644
+--- a/tests/rpmsigdig.at
+++ b/tests/rpmsigdig.at
+@@ -240,6 +240,34 @@ gpg(185e6146f00650f8) = 4:185e6146f00650f8-58e63918
+ [])
+ AT_CLEANUP
+ 
+AT_SETUP([rpmkeys --import invalid keys])
+AT_KEYWORDS([rpmkeys import])
+RPMDB_INIT
+
+AT_CHECK([
+runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc
+],
+[1],
+[],
+[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.]
+)
+AT_CHECK([
+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc
+],
+[1],
+[],
+[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.]
+)
+
+AT_CHECK([
+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc
+],
+[1],
+[],
+[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.]
+)
+AT_CLEANUP
+
+ # ------------------------------
+ # Test pre-built package verification
+ AT_SETUP([rpmkeys -K <signed> 1])
diff --git a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
index 376021d913..4d605c8501 100644
--- a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
+++ b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
@@ -47,6 +47,10 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x;protoc
           file://0001-rpmio-Fix-lzopen_internal-mode-parsing-when-Tn-is-us.patch \
           file://CVE-2021-3421.patch \
           file://CVE-2021-20266.patch \
+           file://CVE-2021-3521-01.patch \
+           file://CVE-2021-3521-02.patch \
+           file://CVE-2021-3521-03.patch \
+           file://CVE-2021-3521.patch \
           "
 PE = "1"
author	Riyaz Khan <Riyaz.Khan@kpit.com>	2022-12-06 12:08:26 +0530
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-12-23 23:05:44 +0000
commit	80e00ba9b9812272abff8d2687e27e98bf2f48f3 (patch)
tree	eccd74d70da890690696762d94c65fe10bfe80eb /meta/recipes-devtools
parent	cc26cf0eb4cff522aa69523346672d54604397da (diff)
download	poky-80e00ba9b9812272abff8d2687e27e98bf2f48f3.tar.gz

diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch new file mode 100644 index 0000000000..0882d6f310 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-01.patch
@@ -0,0 +1,60 @@
		1	From b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8 Mon Sep 17 00:00:00 2001
		2	From: Panu Matilainen <pmatilai@redhat.com>
		3	Date: Thu, 30 Sep 2021 09:51:10 +0300
		4	Subject: [PATCH] Process MPI's from all kinds of signatures
		5
		6	No immediate effect but needed by the following commits.
		7
		8	Dependent patch:
		9	CVE: CVE-2021-3521
		10	Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/b5e8bc74b2b05aa557f663fe227b94d2bc64fbd8]
		11	Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
		12
		13	---
		14	rpmio/rpmpgp.c \| 12 +++++-------
		15	1 file changed, 5 insertions(+), 7 deletions(-)
		16
		17	diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
		18	index ee5c81e246..340de5fc9a 100644
		19	--- a/rpmio/rpmpgp.c
		20	+++ b/rpmio/rpmpgp.c
		21	@@ -511,7 +511,7 @@ pgpDigAlg pgpDigAlgFree(pgpDigAlg alg)
		22	return NULL;
		23	}
		24
		25	-static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
		26	+static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo,
		27	const uint8_t p, const uint8_t h, size_t hlen,
		28	pgpDigParams sigp)
		29	{
		30	@@ -524,10 +524,8 @@ static int pgpPrtSigParams(pgpTag tag, uint8_t pubkey_algo, uint8_t sigtype,
		31	int mpil = pgpMpiLen(p);
		32	if (p + mpil > pend)
		33	break;
		34	- if (sigtype == PGPSIGTYPE_BINARY \|\| sigtype == PGPSIGTYPE_TEXT) {
		35	- if (sigalg->setmpi(sigalg, i, p))
		36	- break;
		37	- }
		38	+ if (sigalg->setmpi(sigalg, i, p))
		39	+ break;
		40	p += mpil;
		41	}
		42
		43	@@ -600,7 +598,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
		44	}
		45
		46	p = ((uint8_t )v) + sizeof(v);
		47	- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
		48	+ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
		49	} break;
		50	case 4:
		51	{ pgpPktSigV4 v = (pgpPktSigV4)h;
		52	@@ -658,7 +656,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
		53	if (p > (h + hlen))
		54	return 1;
		55
		56	- rc = pgpPrtSigParams(tag, v->pubkey_algo, v->sigtype, p, h, hlen, _digp);
		57	+ rc = pgpPrtSigParams(tag, v->pubkey_algo, p, h, hlen, _digp);
		58	} break;
		59	default:
		60	rpmlog(RPMLOG_WARNING, _("Unsupported version of key: V%d\n"), version);


diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch new file mode 100644 index 0000000000..c5f88a8c72 --- /dev/null +++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-02.patch
@@ -0,0 +1,55 @@
		1	From 9f03f42e2614a68f589f9db8fe76287146522c0c Mon Sep 17 00:00:00 2001
		2	From: Panu Matilainen <pmatilai@redhat.com>
		3	Date: Thu, 30 Sep 2021 09:56:20 +0300
		4	Subject: [PATCH] Refactor pgpDigParams construction to helper function
		5
		6	No functional changes, just to reduce code duplication and needed by
		7	the following commits.
		8
		9	Dependent patch:
		10	CVE: CVE-2021-3521
		11	Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/9f03f42e2614a68f589f9db8fe76287146522c0c]
		12	Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
		13
		14	---
		15	rpmio/rpmpgp.c \| 13 +++++++++----
		16	1 file changed, 9 insertions(+), 4 deletions(-)
		17
		18	diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
		19	index 340de5fc9a..aad7c275c9 100644
		20	--- a/rpmio/rpmpgp.c
		21	+++ b/rpmio/rpmpgp.c
		22	@@ -1055,6 +1055,13 @@ unsigned int pgpDigParamsAlgo(pgpDigParams digp, unsigned int algotype)
		23	return algo;
		24	}
		25
		26	+static pgpDigParams pgpDigParamsNew(uint8_t tag)
		27	+{
		28	+ pgpDigParams digp = xcalloc(1, sizeof(*digp));
		29	+ digp->tag = tag;
		30	+ return digp;
		31	+}
		32	+
		33	int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
		34	pgpDigParams * ret)
		35	{
		36	@@ -1072,8 +1079,7 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
		37	if (pkttype && pkt.tag != pkttype) {
		38	break;
		39	} else {
		40	- digp = xcalloc(1, sizeof(*digp));
		41	- digp->tag = pkt.tag;
		42	+ digp = pgpDigParamsNew(pkt.tag);
		43	}
		44	}
		45
		46	@@ -1121,8 +1127,7 @@ int pgpPrtParamsSubkeys(const uint8_t *pkts, size_t pktlen,
		47	digps = xrealloc(digps, alloced * sizeof(*digps));
		48	}
		49
		50	- digps[count] = xcalloc(1, sizeof(**digps));
		51	- digps[count]->tag = PGPTAG_PUBLIC_SUBKEY;
		52	+ digps[count] = pgpDigParamsNew(PGPTAG_PUBLIC_SUBKEY);
		53	/* Copy UID from main key to subkey */
		54	digps[count]->userid = xstrdup(mainkey->userid);
		55


diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch new file mode 100644 index 0000000000..fd31f11beb --- /dev/null +++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521-03.patch
@@ -0,0 +1,34 @@
		1	From 5ff86764b17f31535cb247543a90dd739076ec38 Mon Sep 17 00:00:00 2001
		2	From: Demi Marie Obenour <demi@invisiblethingslab.com>
		3	Date: Thu, 6 May 2021 18:34:45 -0400
		4	Subject: [PATCH] Do not allow extra packets to follow a signature
		5	MIME-Version: 1.0
		6	Content-Type: text/plain; charset=UTF-8
		7	Content-Transfer-Encoding: 8bit
		8
		9	According to RFC 4880 § 11.4, a detached signature is “simply a
		10	Signature packet”. Therefore, extra packets following a detached
		11	signature are not allowed.
		12
		13	Dependent patch:
		14	CVE: CVE-2021-3521
		15	Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/5ff86764b17f31535cb247543a90dd739076ec38]
		16	Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
		17
		18	---
		19	rpmio/rpmpgp.c \| 2 ++
		20	1 file changed, 2 insertions(+)
		21
		22	diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
		23	index f1a99e7169..5b346a8253 100644
		24	--- a/rpmio/rpmpgp.c
		25	+++ b/rpmio/rpmpgp.c
		26	@@ -1068,6 +1068,8 @@ int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
		27	break;
		28
		29	p += (pkt.body - pkt.head) + pkt.blen;
		30	+ if (pkttype == PGPTAG_SIGNATURE)
		31	+ break;
		32	}
		33
		34	rc = (digp && (p == pend)) ? 0 : -1;


diff --git a/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch b/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch new file mode 100644 index 0000000000..cb9e9842fe --- /dev/null +++ b/meta/recipes-devtools/rpm/files/CVE-2021-3521.patch
@@ -0,0 +1,330 @@
		1	From bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8 Mon Sep 17 00:00:00 2001
		2	From: Panu Matilainen <pmatilai@redhat.com>
		3	Date: Thu, 30 Sep 2021 09:59:30 +0300
		4	Subject: [PATCH] Validate and require subkey binding signatures on PGP public
		5	keys
		6
		7	All subkeys must be followed by a binding signature by the primary key
		8	as per the OpenPGP RFC, enforce the presence and validity in the parser.
		9
		10	The implementation is as kludgey as they come to work around our
		11	simple-minded parser structure without touching API, to maximise
		12	backportability. Store all the raw packets internally as we decode them
		13	to be able to access previous elements at will, needed to validate ordering
		14	and access the actual data. Add testcases for manipulated keys whose
		15	import previously would succeed.
		16
		17	Depends on the two previous commits:
		18	7b399fcb8f52566e6f3b4327197a85facd08db91 and
		19	236b802a4aa48711823a191d1b7f753c82a89ec5
		20
		21	CVE: CVE-2021-3521
		22	Upstream-Status: Backport [https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8]
		23	Comment: Hunk refreshed
		24	Signed-off-by: Riyaz Khan <Riyaz.Khan@kpit.com>
		25
		26	Fixes CVE-2021-3521.
		27	---
		28	rpmio/rpmpgp.c \| 98 +++++++++++++++++--
		29	tests/Makefile.am \| 3 +
		30	tests/data/keys/CVE-2021-3521-badbind.asc \| 25 +++++
		31	.../data/keys/CVE-2021-3521-nosubsig-last.asc \| 25 +++++
		32	tests/data/keys/CVE-2021-3521-nosubsig.asc \| 37 +++++++
		33	tests/rpmsigdig.at \| 28 ++++++
		34	6 files changed, 209 insertions(+), 7 deletions(-)
		35	create mode 100644 tests/data/keys/CVE-2021-3521-badbind.asc
		36	create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig-last.asc
		37	create mode 100644 tests/data/keys/CVE-2021-3521-nosubsig.asc
		38
		39	diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
		40	index aad7c275c9..d70802ae86 100644
		41	--- a/rpmio/rpmpgp.c
		42	+++ b/rpmio/rpmpgp.c
		43	@@ -1004,37 +1004,121 @@ static pgpDigParams pgpDigParamsNew(uint8_t tag)
		44	return digp;
		45	}
		46
		47	+static int hashKey(DIGEST_CTX hash, const struct pgpPkt *pkt, int exptag)
		48	+{
		49	+ int rc = -1;
		50	+ if (pkt->tag == exptag) {
		51	+ uint8_t head[] = {
		52	+ 0x99,
		53	+ (pkt->blen >> 8),
		54	+ (pkt->blen ),
		55	+ };
		56	+
		57	+ rpmDigestUpdate(hash, head, 3);
		58	+ rpmDigestUpdate(hash, pkt->body, pkt->blen);
		59	+ rc = 0;
		60	+ }
		61	+ return rc;
		62	+}
		63	+
		64	+static int pgpVerifySelf(pgpDigParams key, pgpDigParams selfsig,
		65	+ const struct pgpPkt *all, int i)
		66	+{
		67	+ int rc = -1;
		68	+ DIGEST_CTX hash = NULL;
		69	+
		70	+ switch (selfsig->sigtype) {
		71	+ case PGPSIGTYPE_SUBKEY_BINDING:
		72	+ hash = rpmDigestInit(selfsig->hash_algo, 0);
		73	+ if (hash) {
		74	+ rc = hashKey(hash, &all[0], PGPTAG_PUBLIC_KEY);
		75	+ if (!rc)
		76	+ rc = hashKey(hash, &all[i-1], PGPTAG_PUBLIC_SUBKEY);
		77	+ }
		78	+ break;
		79	+ default:
		80	+ /* ignore types we can't handle */
		81	+ rc = 0;
		82	+ break;
		83	+ }
		84	+
		85	+ if (hash && rc == 0)
		86	+ rc = pgpVerifySignature(key, selfsig, hash);
		87	+
		88	+ rpmDigestFinal(hash, NULL, NULL, 0);
		89	+
		90	+ return rc;
		91	+}
		92	+
		93	int pgpPrtParams(const uint8_t * pkts, size_t pktlen, unsigned int pkttype,
		94	pgpDigParams * ret)
		95	{
		96	const uint8_t *p = pkts;
		97	const uint8_t *pend = pkts + pktlen;
		98	pgpDigParams digp = NULL;
		99	- struct pgpPkt pkt;
		100	+ pgpDigParams selfsig = NULL;
		101	+ int i = 0;
		102	+ int alloced = 16; /* plenty for normal cases */
		103	+ struct pgpPkt all = xmalloc(alloced sizeof(*all));
		104	int rc = -1; /* assume failure */
		105	+ int expect = 0;
		106	+ int prevtag = 0;
		107
		108	while (p < pend) {
		109	- if (decodePkt(p, (pend - p), &pkt))
		110	+ struct pgpPkt *pkt = &all[i];
		111	+ if (decodePkt(p, (pend - p), pkt))
		112	break;
		113
		114	if (digp == NULL) {
		115	- if (pkttype && pkt.tag != pkttype) {
		116	+ if (pkttype && pkt->tag != pkttype) {
		117	break;
		118	} else {
		119	- digp = pgpDigParamsNew(pkt.tag);
		120	+ digp = pgpDigParamsNew(pkt->tag);
		121	}
		122	}
		123
		124	- if (pgpPrtPkt(&pkt, digp))
		125	+ if (expect) {
		126	+ if (pkt->tag != expect)
		127	+ break;
		128	+ selfsig = pgpDigParamsNew(pkt->tag);
		129	+ }
		130	+
		131	+ if (pgpPrtPkt(pkt, selfsig ? selfsig : digp))
		132	break;
		133
		134	- p += (pkt.body - pkt.head) + pkt.blen;
		135	+ if (selfsig) {
		136	+ /* subkeys must be followed by binding signature */
		137	+ if (prevtag == PGPTAG_PUBLIC_SUBKEY) {
		138	+ if (selfsig->sigtype != PGPSIGTYPE_SUBKEY_BINDING)
		139	+ break;
		140	+ }
		141	+
		142	+ int xx = pgpVerifySelf(digp, selfsig, all, i);
		143	+
		144	+ selfsig = pgpDigParamsFree(selfsig);
		145	+ if (xx)
		146	+ break;
		147	+ expect = 0;
		148	+ }
		149	+
		150	+ if (pkt->tag == PGPTAG_PUBLIC_SUBKEY)
		151	+ expect = PGPTAG_SIGNATURE;
		152	+ prevtag = pkt->tag;
		153	+
		154	+ i++;
		155	+ p += (pkt->body - pkt->head) + pkt->blen;
		156	if (pkttype == PGPTAG_SIGNATURE)
		157	break;
		158	+
		159	+ if (alloced <= i) {
		160	+ alloced *= 2;
		161	+ all = xrealloc(all, alloced * sizeof(*all));
		162	+ }
		163	}
		164
		165	- rc = (digp && (p == pend)) ? 0 : -1;
		166	+ rc = (digp && (p == pend) && expect == 0) ? 0 : -1;
		167
		168	+ free(all);
		169	if (ret && rc == 0) {
		170	*ret = digp;
		171	} else {
		172	diff --git a/tests/Makefile.am b/tests/Makefile.am
		173	index b4a2e2e1ce..bc535d2833 100644
		174	--- a/tests/Makefile.am
		175	+++ b/tests/Makefile.am
		176	@@ -87,6 +87,9 @@ EXTRA_DIST += data/SPECS/hello-config-buildid.spec
		177	EXTRA_DIST += data/SPECS/hello-cd.spec
		178	EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.pub
		179	EXTRA_DIST += data/keys/rpm.org-rsa-2048-test.secret
		180	+EXTRA_DIST += data/keys/CVE-2021-3521-badbind.asc
		181	+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig.asc
		182	+EXTRA_DIST += data/keys/CVE-2021-3521-nosubsig-last.asc
		183	EXTRA_DIST += data/macros.testfile
		184
		185	# testsuite voodoo
		186	diff --git a/tests/data/keys/CVE-2021-3521-badbind.asc b/tests/data/keys/CVE-2021-3521-badbind.asc
		187	new file mode 100644
		188	index 0000000000..aea00f9d7a
		189	--- /dev/null
		190	+++ b/tests/data/keys/CVE-2021-3521-badbind.asc
		191	@@ -0,0 +1,25 @@
		192	+-----BEGIN PGP PUBLIC KEY BLOCK-----
		193	+Version: rpm-4.17.90 (NSS-3)
		194	+
		195	+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
		196	+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
		197	+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
		198	+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
		199	+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
		200	+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
		201	+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
		202	+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
		203	+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
		204	+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
		205	+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
		206	+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
		207	++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
		208	+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
		209	+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
		210	+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
		211	+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
		212	+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
		213	+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
		214	+=WCfs
		215	+-----END PGP PUBLIC KEY BLOCK-----
		216	+
		217	diff --git a/tests/data/keys/CVE-2021-3521-nosubsig-last.asc b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
		218	new file mode 100644
		219	index 0000000000..aea00f9d7a
		220	--- /dev/null
		221	+++ b/tests/data/keys/CVE-2021-3521-nosubsig-last.asc
		222	@@ -0,0 +1,25 @@
		223	+-----BEGIN PGP PUBLIC KEY BLOCK-----
		224	+Version: rpm-4.17.90 (NSS-3)
		225	+
		226	+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
		227	+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
		228	+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
		229	+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
		230	+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
		231	+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
		232	+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
		233	+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
		234	+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
		235	+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
		236	+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
		237	+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
		238	++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
		239	+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
		240	+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
		241	+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
		242	+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
		243	+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
		244	+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAE=
		245	+=WCfs
		246	+-----END PGP PUBLIC KEY BLOCK-----
		247	+
		248	diff --git a/tests/data/keys/CVE-2021-3521-nosubsig.asc b/tests/data/keys/CVE-2021-3521-nosubsig.asc
		249	new file mode 100644
		250	index 0000000000..3a2e7417f8
		251	--- /dev/null
		252	+++ b/tests/data/keys/CVE-2021-3521-nosubsig.asc
		253	@@ -0,0 +1,37 @@
		254	+-----BEGIN PGP PUBLIC KEY BLOCK-----
		255	+Version: rpm-4.17.90 (NSS-3)
		256	+
		257	+mQENBFjmORgBCAC7TMEk6wnjSs8Dr4yqSScWdU2pjcqrkTxuzdWvowcIUPZI0w/g
		258	+HkRqGd4apjvY2V15kjL10gk3QhFP3pZ/9p7zh8o8NHX7aGdSGDK7NOq1eFaErPRY
		259	+91LW9RiZ0lbOjXEzIL0KHxUiTQEmdXJT43DJMFPyW9fkCWg0OltiX618FUdWWfI8
		260	+eySdLur1utnqBvdEbCUvWK2RX3vQZQdvEBODnNk2pxqTyV0w6VPQ96W++lF/5Aas
		261	+7rUv3HIyIXxIggc8FRrnH+y9XvvHDonhTIlGnYZN4ubm9i4y3gOkrZlGTrEw7elQ
		262	+1QeMyG2QQEbze8YjpTm4iLABCBrRfPRaQpwrABEBAAG0IXJwbS5vcmcgUlNBIHRl
		263	+c3RrZXkgPHJzYUBycG0ub3JnPokBNwQTAQgAIQUCWOY5GAIbAwULCQgHAgYVCAkK
		264	+CwIEFgIDAQIeAQIXgAAKCRBDRFkeGWTF/MxxCACnjqFL+MmPh9W9JQKT2DcLbBzf
		265	+Cqo6wcEBoCOcwgRSk8dSikhARoteoa55JRJhuMyeKhhEAogE9HRmCPFdjezFTwgB
		266	+BDVBpO2dZ023mLXDVCYX3S8pShOgCP6Tn4wqCnYeAdLcGg106N4xcmgtcssJE+Pr
		267	+XzTZksbZsrTVEmL/Ym+R5w5jBfFnGk7Yw7ndwfQsfNXQb5AZynClFxnX546lcyZX
		268	+fEx3/e6ezw57WNOUK6WT+8b+EGovPkbetK/rGxNXuWaP6X4A/QUm8O98nCuHYFQq
		269	++mvNdsCBqGf7mhaRGtpHk/JgCn5rFvArMDqLVrR9hX0LdCSsH7EGE+bR3r7wuQEN
		270	+BFjmORgBCACk+vDZrIXQuFXEYToZVwb2attzbbJJCqD71vmZTLsW0QxuPKRgbcYY
		271	+zp4K4lVBnHhFrF8MOUOxJ7kQWIJZMZFt+BDcptCYurbD2H4W2xvnWViiC+LzCMzz
		272	+iMJT6165uefL4JHTDPxC2fFiM9yrc72LmylJNkM/vepT128J5Qv0gRUaQbHiQuS6
		273	+Dm/+WRnUfx3i89SV4mnBxb/Ta93GVqoOciWwzWSnwEnWYAvOb95JL4U7c5J5f/+c
		274	+KnQDHsW7sIiIdscsWzvgf6qs2Ra1Zrt7Fdk4+ZS2f/adagLhDO1C24sXf5XfMk5m
		275	+L0OGwZSr9m5s17VXxfspgU5ugc8kBJfzABEBAAG5AQ0EWOY5GAEIAKT68NmshdC4
		276	+VcRhOhlXBvZq23NtskkKoPvW+ZlMuxbRDG48pGBtxhjOngriVUGceEWsXww5Q7En
		277	+uRBYglkxkW34ENym0Ji6tsPYfhbbG+dZWKIL4vMIzPOIwlPrXrm558vgkdMM/ELZ
		278	+8WIz3KtzvYubKUk2Qz+96lPXbwnlC/SBFRpBseJC5LoOb/5ZGdR/HeLz1JXiacHF
		279	+v9Nr3cZWqg5yJbDNZKfASdZgC85v3kkvhTtzknl//5wqdAMexbuwiIh2xyxbO+B/
		280	+qqzZFrVmu3sV2Tj5lLZ/9p1qAuEM7ULbixd/ld8yTmYvQ4bBlKv2bmzXtVfF+ymB
		281	+Tm6BzyQEl/MAEQEAAYkBHwQYAQgACQUCWOY5GAIbDAAKCRBDRFkeGWTF/PANB/9j
		282	+mifmj6z/EPe0PJFhrpISt9PjiUQCt0IPtiL5zKAkWjHePIzyi+0kCTBF6DDLFxos
		283	+3vN4bWnVKT1kBhZAQlPqpJTg+m74JUYeDGCdNx9SK7oRllATqyu+5rncgxjWVPnQ
		284	+zu/HRPlWJwcVFYEVXYL8xzfantwQTqefjmcRmBRdA2XJITK+hGWwAmrqAWx+q5xX
		285	+Pa8wkNMxVzNS2rUKO9SoVuJ/wlUvfoShkJ/VJ5HDp3qzUqncADfdGN35TDzscngQ
		286	+gHvnMwVBfYfSCABV1hNByoZcc/kxkrWMmsd/EnIyLd1Q1baKqc3cEDuC6E6/o4yJ
		287	+E4XX4jtDmdZPreZALsiB
		288	+=rRop
		289	+-----END PGP PUBLIC KEY BLOCK-----
		290	+
		291	diff --git a/tests/rpmsigdig.at b/tests/rpmsigdig.at
		292	index 0f8f2b4884..c8b9f139e1 100644
		293	--- a/tests/rpmsigdig.at
		294	+++ b/tests/rpmsigdig.at
		295	@@ -240,6 +240,34 @@ gpg(185e6146f00650f8) = 4:185e6146f00650f8-58e63918
		296	[])
		297	AT_CLEANUP
		298
		299	+AT_SETUP([rpmkeys --import invalid keys])
		300	+AT_KEYWORDS([rpmkeys import])
		301	+RPMDB_INIT
		302	+
		303	+AT_CHECK([
		304	+runroot rpmkeys --import /data/keys/CVE-2021-3521-badbind.asc
		305	+],
		306	+[1],
		307	+[],
		308	+[error: /data/keys/CVE-2021-3521-badbind.asc: key 1 import failed.]
		309	+)
		310	+AT_CHECK([
		311	+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig.asc
		312	+],
		313	+[1],
		314	+[],
		315	+[error: /data/keys/CVE-2021-3521-nosubsig.asc: key 1 import failed.]
		316	+)
		317	+
		318	+AT_CHECK([
		319	+runroot rpmkeys --import /data/keys/CVE-2021-3521-nosubsig-last.asc
		320	+],
		321	+[1],
		322	+[],
		323	+[error: /data/keys/CVE-2021-3521-nosubsig-last.asc: key 1 import failed.]
		324	+)
		325	+AT_CLEANUP
		326	+
		327	# ------------------------------
		328	# Test pre-built package verification
		329	AT_SETUP([rpmkeys -K <signed> 1])
		330


diff --git a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb index 376021d913..4d605c8501 100644 --- a/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb +++ b/meta/recipes-devtools/rpm/rpm_4.14.2.1.bb
@@ -47,6 +47,10 @@ SRC_URI = "git://github.com/rpm-software-management/rpm;branch=rpm-4.14.x;protoc
47	file://0001-rpmio-Fix-lzopen_internal-mode-parsing-when-Tn-is-us.patch \	47	file://0001-rpmio-Fix-lzopen_internal-mode-parsing-when-Tn-is-us.patch \
48	file://CVE-2021-3421.patch \	48	file://CVE-2021-3421.patch \
49	file://CVE-2021-20266.patch \	49	file://CVE-2021-20266.patch \
		50	file://CVE-2021-3521-01.patch \
		51	file://CVE-2021-3521-02.patch \
		52	file://CVE-2021-3521-03.patch \
		53	file://CVE-2021-3521.patch \
50	"	54	"
51		55
52	PE = "1"	56	PE = "1"