Re: [Rpm-maint] [rpm-software-management/rpm] How can I find details on the binary representation of the RPM DB? (Discussion #2211)
It does not @pmatilai, but many people are uncomfortable with situations where reporting a bug via the proper channels (public GitHub issue) means publicizing a 0day vulnerability in their own product. They would prefer if security problems in their product caused by upstream bugs were considered security vulnerabilities in the upstream code, so that they could be handled via the private channels used for such things (secal...@redhat.com in this case). -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/2211#discussioncomment-7511960 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] How can I find details on the binary representation of the RPM DB? (Discussion #2211)
And that prevents you from reporting bugs? If so, the security world is even sadder place than I thought. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/2211#discussioncomment-7506935 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] How can I find details on the binary representation of the RPM DB? (Discussion #2211)
@pmatilai I, and I suspect @rhdesmond as well, are not comfortable creating a situation where a bug is not a security vulnerability in RPM, but is a security vulnerability in the downstream project. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/2211#discussioncomment-7501644 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] How can I find details on the binary representation of the RPM DB? (Discussion #2211)
Thanks for the detailed discussion all! @DemiMarie is correct; I understand @pmatilai's concerns about intended use and security impact. For now, we parse the db files (as other open source scanners do) as creating a runtime is prohibitively expensive as pointed out above. Appreciate the notes! -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/2211#discussioncomment-7500519 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] How can I find details on the binary representation of the RPM DB? (Discussion #2211)
A bug is a bug. The database needs to be as robust as anything else in rpm, security impact or no. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/2211#discussioncomment-7495545 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] How can I find details on the binary representation of the RPM DB? (Discussion #2211)
I think @rhdesmond is in the situation of needing to process RPM databases that come from untrusted container images. These databases might be malicious and might try to exploit a bug in librpm to compromise the vulnerability scanner. Such a bug would arguably be out of scope for librpm because it would require root privileges to exploit, but in this case the root filesystem itself is untrusted. That’s why I suggested compiling librpm via WebAssembly, so that the impact of a compromise is limited. Without a trick like this, the only other approach that meets certain security requirements is to create a new virtual machine for each and every container being scanned, which is slow, uses lots of memory, and is incompatible with most cloud environments. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/2211#discussioncomment-7491327 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] How can I find details on the binary representation of the RPM DB? (Discussion #2211)
If you don't want to link to librpm, then other option is to use rpm cli. Everything about the packages is accessible with rpm cli queries. I don't understand your use-case, but if you absolutely need the package information on file-system then create that info using rpm queries, as a part of the container image create process or otherwise. We even ship with a cron script to do this daily (see script/rpm.daily in the source) that you can use as a basis if it doesn't do what you need. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/2211#discussioncomment-7484095 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] How can I find details on the binary representation of the RPM DB? (Discussion #2211)
Nope. Is there a reason that using librpm is not an option? If there is, you will need to reverse-engineer the format and keep pace with whatever librpm does. Could you compile librpm to WebAssembly and create a new WebAssembly runtime for each container? That could be a solution to security concerns. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/2211#discussioncomment-7482856 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] How can I find details on the binary representation of the RPM DB? (Discussion #2211)
This restricts our use case (container vulnerability scanning): is there a recommended way to see package information from the filesystem (like how Debian has `/var/lib/dpkg/info/[PACKAGE].list` files) -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/2211#discussioncomment-7482049 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] How can I find details on the binary representation of the RPM DB? (Discussion #2211)
Nothing wrong with curiosity, and this being open source, obviously nobody can prevent people from looking. However I have no incentive to help planned misuse, which is clearly the case here. The rpmdb format is undocumented because it is a private implementation detail which rpm is free to change at will. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/2211#discussioncomment-3793589 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] How can I find details on the binary representation of the RPM DB? (Discussion #2211)
> The details of the database format are OFF-LIMITS TO EXTERNAL USERS! > > Sqlite is but one of the possible database formats. If you want to access the > rpm database, you do so through the librpm API. Just because one should not access the rpmdb without going through librpm does not mean that one might not be curious about the actual rpmdb format. I know I am! -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/2211#discussioncomment-3788032 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] How can I find details on the binary representation of the RPM DB? (Discussion #2211)
The details of the database format are OFF-LIMITS TO EXTERNAL USERS! If you want to access the rpm databasem, you do so through the librpm API. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/2211#discussioncomment-3784801 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] How can I find details on the binary representation of the RPM DB? (Discussion #2211)
I found that, starting with RPM 4.16, RPM uses an SQLite database ([reference](https://fedoraproject.org/wiki/Changes/RPM-4.16#Detailed_Description)). >From querying my local table, I see there are the following tables: ``` sqlite> .tables Basenames Name Sigmd5 Conflictname Obsoletename Suggestname Dirnames Packages Supplementname Enhancename Providename Transfiletriggername Filetriggername Recommendname Triggername Group Requirename InstalltidSha1header ``` I can look at the schemas of individual tables like so: ``` sqlite> .schema Name CREATE TABLE IF NOT EXISTS 'Name' (key 'TEXT' NOT NULL, hnum INTEGER NOT NULL, idx INTEGER NOT NULL, FOREIGN KEY (hnum) REFERENCES 'Packages'(hnum)); CREATE INDEX 'Name_key_idx' ON 'Name'(key ASC); ``` Is there any documentation for what is stored in each table? For example, it seems the `Name` table stores the names of all of the installed RPM packages, and from the schema for this table I can see that it has a foreign `hnum` key for the `Packages` table. But when I look at the `Packages` table, I can't make sense of the data, since it stores blobs: ``` sqlite> .schema Packages CREATE TABLE IF NOT EXISTS 'Packages' (hnum INTEGER PRIMARY KEY AUTOINCREMENT,blob BLOB NOT NULL); sqlite> select * from Packages limit 10; 1| 2| 3| 4| 5| 6| 7| 8| 9| 10| ``` -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/2211#discussioncomment-3775485 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] How can I find details on the binary representation of the RPM DB? (Discussion #2211)
That's the wrong end to be looking at, totally. 'rpm -q' with [--queryformat](https://rpm-software-management.github.io/rpm/manual/queryformat.html) gives you access to every single bit of data in the rpmdb. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/discussions/2211#discussioncomment-3769392 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
