CVE-2017-7435, CVE-2017-7436 and CVE-2017-9269: libzypp-16.15.2 and higher will no longer automatically accept unsigned packages / repositories.

  • 7021171
  • 03-Aug-2017
  • 11-Aug-2017

Environment

SUSE Linux Enterprise Desktop 12
SUSE Linux Enterprise Server 12 Service Pack 2 (SLES 12 SP2)
SUSE Manager 3
SUSE Manager 3.1

Situation

Due to CVE-2017-7435, CVE-2017-7436 changes were made to the behaviour of libzypp to not allow unsigned packages or repositories by default.

Resolution

In the case of SUSE Manager, for a short period of time, libzypp-16.15.(>=2) will silently accept unsigned packages if a repositories gpgcheck configuration is explicitly turned off, for example:

gpgcheck      = 0
repo_gpgcheck = 0
pkg_gpgcheck  = 1

With libzypp-16.16.* the above configuration will reject unsigned packages.

With zypper-1.13.31 the following new options will be available to manage the behaviour changes for adding and modifying repositories:

    --gpgcheck (default: requires either signed repo or signed package)
        gpgcheck        = 1
    (repo_gpgcheck/pkg_gpgcheck unset: follow zypp.conf)

    --gpgcheck-strikt (requires signed package even for signed repos)
        gpgcheck        = 1
        repo_gpgcheck   = 1
        pkg_gpgcheck    = 1
 
    --gpgcheck-allow-unsigned  (allow repo and package to be unsigned)
        gpgcheck        = 1
        repo_gpgcheck   = 0
        pkg_gpgcheck    = 0

    --gpgcheck-allow-unsigned-repo  (allow repo to be unsigned)   
        gpgcheck        = 1
        repo_gpgcheck   = 0
        (pkg_gpgcheck unset: follow zypp.conf)

    --gpgcheck-allow-unsigned-package (allow package to be unsigned) 
        gpgcheck        = 1
        (repo_gpgcheck unset: follow zypp.conf)
        pkg_gpgcheck    = 0

Cause

The changes were needed to address security issues related to CVE-2017-7435, CVE-2017-7436 and CVE-2017-9269.

Additional Information

In the case for SUSE Manager where customers add their own unsigned packages into repositories, these used to be accepted by default without any warning. With the newer libzypp version however a warning will be shown:

File 'repomd.xml' from repository 'repo_name' is unsigned, continue? [yes/no] (no):

 and should it be a non-interactive run it will be declined by default.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.