[Rpm-maint] [rpm-software-management/rpm] Disallow most control characters in at least %summary, %description and %changelog (Issue #2742)
Based on the last [EPEL meeting](https://meetbot.fedoraproject.org/fedora-meeting/2023-11-01/epel.2023-11-01-20.00.log.html), where https://pagure.io/releng/issue/11751 was raised, I would like to suggest to disallow most control characters in at least `%summary`, `%description` and `%changelog` already in `rpmbuild`. Control characters, like `^S` (023) cause unfortunately issues at `createrepo_c`, see e.g. https://github.com/rpm-software-management/createrepo_c/issues/327. Aside of that, various control characters in spec files are most likely always mistakes rather than intended, I would assume? -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/2742 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Add LMDB backend for RPMDB to RPM (from @n3npq in #281) (#291)
Is it intended, that it's called `/data.mdb` rather `/Packages.mdb`? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/291#issuecomment-318894429___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Make 'rpm -V' more resistent against rpmdb manipulations (#196)
> Hmmm ... its not clear what exploit is used (from just reading the file at > the URL you gave). I think "DIZZYTACHOMETER" doesn't exploit anything itself, but is just hiding e.g. a rootkit installation by manipulating the rpmdb based on already existing write permissions gained before. I didn't find the binary nor any source for "DIZZYTACHOMETER", but the way of usage makes me assuming "regular" rpmdb manipulations, not a RPM related security flaw. > The provision in RPM for careful rootkit forensics is to use "rpm -Vp ..." > from a CDROM (or other offline/immutable media). Immutable media…something that is harder and harder to get when looking to Fedora or RHEL (last with CDN). Sometimes (e.g. at EPEL as 3rd party repository) the RPM package has been already orphaned and thus removed from the repository when it comes to a verification case. > This isn't an easy problem to solve. Right, and I don't expect a quick solution. Just wild ideas: Blockchains for rpmdb? Optionally trusted (digital) timestamping for rpmdb? But yes, maybe also a further verification tool that somehow handles the situation that offline media is going away. I do not have a specific idea how this could be solved, finally. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/196#issuecomment-292949590___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Make 'rpm -V' more resistent against rpmdb manipulations (#196)
https://github.com/x0rz/EQGRP/blob/33810162273edda807363237ef7e7c5ece3e4100/Linux/doc/old/etc/user.mission.generic.COMMON.old refers to "DIZZYTACHOMETER", which is a tool to manipulate the rpmdb in order to avoid `rpm -V` reporting manipulated/changed/replaced binaries/files of installed RPM packages. While this is indeed nothing really new (on a technical level, didn't personally see such a tool described in the wild), it still would be IMHO handy to make `rpm -V` in the future more resistent against rpmdb manipulations – however that would finally look like. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/196___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] RFE: Offer LMDB as an alternative engine to BDB for rpmdb (#128)
At https://bugzilla.redhat.com/show_bug.cgi?id=1086784, there also was kind of discussion about that. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/128#issuecomment-272750293___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint