Closed openaudible closed 3 years ago
pmatilai
commented
3 years ago Yup, it's a regression introduced in 4.15.1.1 and 4.16.1.3.
Archivesize (1046) generally only exists in the main header in rpm v3 packages (a very nearly extinct species) which is how this got through. install4j is not a v3 package but a different kind of peculiarity, but we'll need to allow this as long as v3 packages are supported. Will fix.
sshedi
commented
3 years ago Hi @pmatilai - any updates on this issue? It will be really helpful if it's fixed soon.
techpavan
commented
3 years ago +1
neingeist
commented
3 years ago I also have this problem with this software: https://download.mediathekview.de/stabil/MediathekView-latest-linux.rpm
(I haven't checked, but it's Java, so I suspect Install4J here, too)
techpavan
commented
3 years ago @pmatilai Could you please share if any ETA on the fix? If this takes longer, we can implement workarounds to downgrade in our applications rather than waiting for the actual fix.
DemiMarie
commented
3 years ago @pmatilai Could you please share if any ETA on the fix? If this takes longer, we can implement workarounds to downgrade in our applications rather than waiting for the actual fix.
Please do not downgrade; this exposes you to a severe security hole (CVE-2021-20271) that allows for signature verification bypass and remote code execution. I will make a PR here, but please file a support ticket with install4j.
techpavan
commented
3 years ago @DemiMarie Thanks for the quick action. We are not direct consumers of install4j, but we consume few packages which run through this issue. Will have to probably wait for any install4j consumers to report it.
DemiMarie
commented
3 years ago @DemiMarie Thanks for the quick action. We are not direct consumers of install4j, but we consume few packages which run through this issue. Will have to probably wait for any install4j consumers to report it.
You’re welcome @techpavan!
openaudible
commented
3 years ago Install4j has fixed the issue on version 9.0.2 and higher. But not a free upgrade for many.
Software that uses the install4j installer often also includes a .sh download that can be run with -q to run it without the UI.
sshedi
commented
3 years ago @DemiMarie thanks a lot for the fix. Any reasons behind why it is not yet merged?
DemiMarie
commented
3 years ago @DemiMarie thanks a lot for the fix. Any reasons behind why it is not yet merged?
The RPM project is bottlenecked on code reviews. #1677 and #1672 have not been reviewed either, and both fix legitimate security vulnerabilities.
pmatilai
commented
3 years ago We're bottlenecked on all manner of things, and submitting more PR's is not always the best way to help.
sshedi
commented
3 years ago Hi @pmatilai - can you please review and take this fix on priority? this is a blocker for us.
pmatilai
commented
3 years ago Regressions are always a priority. It's just that world is full of priorities too. One should not think that honking the horn here will get some dark corner fixed any faster.
sshedi
commented
3 years ago Thanks a lot @pmatilai, have a nice time ahead. :)
Install4j is a popular installer maker. It appears that some or all rpm's created by them are not compatible with the latest rpm 4.16.1.3 installed with fedora. rpm works as expected in versions 4.16.0 and earlier.
Example: rpm -qvvpR install4j_linux-x64_9_0_1.rpm returns error: run invalid signature tag Archivesize (1046)
Below is a simple Dockerfile that shows how to reproduce this:
This was found by a user in issue: https://github.com/openaudible/openaudible/issues/603
A work-around for is to downgrade rpm from 4.16.1.3 to 4.16.0 with the simple command: yum downgrade rpm which you can also test by running the above docker:
These are reproducible using the "latest" versions as of 4/13/2021.