Description
There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature."[1] RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity.1. https://tools.ietf.org/html/rfc4880#section-5.2.1
Solution(s)
redhat-upgrade-python3-rpmredhat-upgrade-python3-rpm-debuginforedhat-upgrade-rpmredhat-upgrade-rpm-apidocsredhat-upgrade-rpm-buildredhat-upgrade-rpm-build-debuginforedhat-upgrade-rpm-build-libsredhat-upgrade-rpm-build-libs-debuginforedhat-upgrade-rpm-cronredhat-upgrade-rpm-debuginforedhat-upgrade-rpm-debugsourceredhat-upgrade-rpm-develredhat-upgrade-rpm-devel-debuginforedhat-upgrade-rpm-libsredhat-upgrade-rpm-libs-debuginforedhat-upgrade-rpm-plugin-fapolicydredhat-upgrade-rpm-plugin-fapolicyd-debuginforedhat-upgrade-rpm-plugin-imaredhat-upgrade-rpm-plugin-ima-debuginforedhat-upgrade-rpm-plugin-prioresetredhat-upgrade-rpm-plugin-prioreset-debuginforedhat-upgrade-rpm-plugin-selinuxredhat-upgrade-rpm-plugin-selinux-debuginforedhat-upgrade-rpm-plugin-syslogredhat-upgrade-rpm-plugin-syslog-debuginforedhat-upgrade-rpm-plugin-systemd-inhibitredhat-upgrade-rpm-plugin-systemd-inhibit-debuginforedhat-upgrade-rpm-signredhat-upgrade-rpm-sign-debuginfo
ReferencesCVE-2021-3521RHSA-2022:0254