On Tue, 26 Jul 2011, Joe Pruett wrote: > On 07/26/2011 08:31 AM, Joe Pruett wrote: > >> i have done some strace'ing and it is dieing while reading >> /var/cache/yum/rpmforge/primary.xml.gz. i have externally tested that >> file and can gunzip it just fine and xmllint doesn't find any issues >> either, so it would appear to be the data itself. i'll do a bit more >> poking to see if i can track down anything further. > > i am loading debuginfo packages and some stack trace clues are pointing > to mhash-devel missing checksum data. the xml has: > <checksum type="sha" pkgid="YES"></checksum> > > could that be the issue?
On #yum apparently the issue is caused by one (or more) bugs in createrepo when using --update. This is indeed something we introduced in may when we migrated the server from CentOS-4 to RHEL5 and the new createrepo did have the --update option. Unfortunately this exploit is part of RHEL5, both createrepo and yum-metadata-parser. Now, the yum-developers don't consider this a bug, because it cannot be exploited if the repository metadata is signed. (That is, if the exploiter is not able to sign the metadata) I don't agree with this, yum segfaulting is something that should be fixed, regardless of how people are using it. Anyone interested to report this to get a CVE ? ;-) -- -- dag wieers, [email protected], http://dag.wieers.com/ -- dagit linux solutions, [email protected], http://dagit.net/ [Any errors in spelling, tact or fact are transmission errors] _______________________________________________ users mailing list [email protected] http://lists.repoforge.org/mailman/listinfo/users
