{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rpm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["pyp2spec (\u003c 0.14.1)"],"_cs_severities":["high"],"_cs_tags":["code-injection","supply-chain","rpm","linux"],"_cs_type":"advisory","_cs_vendors":["pip","Fedora"],"content_html":"\u003cp\u003epyp2spec, a tool for generating RPM spec files from PyPI packages, contains a code injection vulnerability affecting versions prior to 0.14.1. The vulnerability stems from the tool\u0026rsquo;s failure to properly escape RPM macro directives when writing PyPI package metadata (such as the summary field) into the generated spec file. This allows a malicious PyPI package to inject arbitrary commands into the spec file, which are then executed when an RPM tool processes the file. This poses a significant risk to package maintainers and build systems, particularly within the Fedora ecosystem where compromised credentials can lead to widespread supply chain attacks. The realistic attack vector involves typosquatting or targeting packages known to be under review.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious PyPI package containing specially formatted metadata, including an RPM macro directive (e.g., within the package summary).\u003c/li\u003e\n\u003cli\u003eA Fedora packager, intending to package a legitimate Python package, uses \u003ccode\u003epyp2spec\u003c/code\u003e to generate an RPM spec file from the malicious PyPI package.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003epyp2spec\u003c/code\u003e writes the attacker-controlled metadata, including the unescaped RPM macro directive, into the generated spec file.\u003c/li\u003e\n\u003cli\u003eThe packager, or an automated system, uses an RPM tool like \u003ccode\u003erpmbuild -bs\u003c/code\u003e, \u003ccode\u003erpmbuild --nobuild\u003c/code\u003e, or \u003ccode\u003erpm -q --specfile\u003c/code\u003e to inspect or build the package from the spec file.\u003c/li\u003e\n\u003cli\u003eThe RPM tool parses the spec file and, upon encountering the RPM macro directive, executes the embedded command.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s command executes on the build machine, potentially granting the attacker access to the packager\u0026rsquo;s credentials (dist-git SSH keys, Koji build credentials, Bodhi update credentials).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to commit malicious source code to the distribution\u0026rsquo;s Git repository (dist-git).\u003c/li\u003e\n\u003cli\u003eThe malicious code is built and distributed to end users through the normal package update pipeline, resulting in a supply chain attack.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on the build machine. This can lead to the compromise of sensitive credentials, such as SSH keys and build system credentials. In the Fedora ecosystem, this could enable an attacker to inject malicious code into packages that are distributed to end users, potentially affecting millions of systems. The vulnerability poses a high risk to package maintainers and build systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003epyp2spec\u003c/code\u003e version 0.14.1 or later to remediate the code injection vulnerability as described in the advisory (\u003ca href=\"https://github.com/advisories/GHSA-r35x-v8p8-xvhw)\"\u003ehttps://github.com/advisories/GHSA-r35x-v8p8-xvhw)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring on RPM spec files, alerting on unexpected modifications, to detect potentially malicious injected code. Use file_event logs with a rule like the one below.\u003c/li\u003e\n\u003cli\u003eMonitor process executions originating from RPM tools (\u003ccode\u003erpmbuild\u003c/code\u003e, \u003ccode\u003erpm\u003c/code\u003e), focusing on unusual or unexpected commands that could indicate exploitation, using process_creation logs and the Sigma rule provided.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-pyp2spec-code-injection/","summary":"pyp2spec before 0.14.1 is vulnerable to code injection by writing PyPI package metadata into generated spec files without escaping RPM macro directives, allowing malicious packages to execute arbitrary commands on the build machine.","title":"pyp2spec Code Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-pyp2spec-code-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Rpm","version":"https://jsonfeed.org/version/1.1"}