rust-rpm-sequoia Denial-of-Service Vulnerability via Crafted RPM File

A denial-of-service vulnerability has been identified in rust-rpm-sequoia. This issue arises when a specially crafted Red Hat Package Manager (RPM) file is processed during the signature verification phase. The crafted file can cause a Rust panic in the OpenPGP signature parsing component, librpm_sequoia, leading to an abrupt termination of the rpm process. As a result, the system becomes unable to verify the signatures of RPM files, causing an application-level denial of service. This vulnerability can be exploited without any privileges or user interaction by using standard RPM command-line options such as 'rpm -Kv' or 'rpm --checksig'.

Impact

Exploitation of this vulnerability causes an application-level denial-of-service, where the rpm process is terminated prematurely, disrupting normal RPM file processing and signature verification workflows.

Reproduction

To reproduce this vulnerability, obtain a specially crafted RPM file that triggers the OpenPGP signature parsing error in rust-rpm-sequoia. Then, use the RPM command-line tool with the 'checksig' or 'Kv' options to process the file. The rpm command will attempt to verify the signatures, but the crafted file will cause a Rust panic, leading to an unconditional abort of the rpm process.

Remediation

Users are advised to avoid processing untrusted or attacker-controlled RPM files with the 'rpm -Kv' or 'rpm --checksig' commands. Instead, use isolated environments or additional validation layers when handling untrusted RPM artifacts.