RedHat’s default package management system RPM contained a hidden security bug since day one. CloudLinux’s Linux developer Dmitry Antipov discovered this bug and submitted a patch.
Unauthorized RPM packages cause a big security hole
Dmitry Antipov, a Linux developer at CloudLinux, AlmaLinux OS‘s parent company, first found the problem in March 2021. Antipov discovered that RPM would work with unauthorized RPM packages. He tried to fix the simple use case with the only revoked subkey.
Antipov explained the bug in an interview, saying,
“The problem is that both RPM and DNF do a check to see if the key is valid and genuine but not expired, but not for revocation. As I understand it, all the distribution vendors have just been lucky enough never to have been hit by this.”
Without warning, unsigned packages or packages signed with revoked keys could silently be patched or updated. Users could not know if it was kosher. This was the result of RPM’s revocation. Antipov and TuxCare team think opening a Common Vulnerabilities and Exposures (CVE) about the issue since.