View Issue Details

IDProjectCategoryView StatusLast Update
0018260CentOS-7kernelpublic2021-08-04 00:48
Reporterswagh Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionno change required 
Summary0018260: Inclusion of kernel-3.10.0-1160.36.2.el7.x86_64.rpm to remediate CVE-2021-33909 causes ISO reboot
DescriptionInclusion of the latest kernel provided by CentOS as part of https://access.redhat.com/errata/RHSA-2021:2725 advisory on the ISO causes the installation to fail after rpms are installed via kspackages during kickstart's preinstall phase and anaconda-yum is running.

After we see the following message on console, the system reboots:
Performing post-installation tasks

Further digging into /tmp/program.log and /tmp/anaconda.log reveals that anaconda-yum python tool fails with the following message:
PackageSackError: Rpmdb checksum is invalid: dCDPT(pkg checksums): grubby.x86_64: 0:8.28-26.el7
Additional InformationThis issue does not happen with any of the previous kernels during fresh installation.
This is also not seen if an existing centos 7.9 system is being upgraded using this kernel rpm.
Only the kernel rpm has been included from the list of rpms released by CentOS to fix the security vulnerability from CVE-2021-33909.
Tagscentos7, kernel, Linux, security-vulnerability
abrt_hash
URL

Activities

swagh

swagh

2021-07-27 18:34

reporter  

ManuelWolfshant

ManuelWolfshant

2021-08-02 12:03

manager   ~0038556

That error rhymes a lot with a corrupted rpm. Are you sure that the file is OK ?
swagh

swagh

2021-08-02 16:46

reporter   ~0038557

Thanks for your response @ManuelWolfshant.
I have checked the PGP signatures and md5sums for grubby and kernel rpm packages included on our ISO and the ones from the two different Centos mirrors. They match. So it feels unlikely that the rpm is corrupted, especially since we have been using the same grubby rpm in our previous ISO builds successfully.
http://mirror.centos.org/centos/7/
https://mirrors.ocf.berkeley.edu/centos/7.9.2009/
In addition, the above error only happens when the kernel rpm is updated to kernel-3.10.0-1160.36.2.el7.x86_64.rpm. The previous two kernels kernel-3.10.0-1160.31.1.el7.x86_64.rpm and kernel-3.10.0-1160.25.1.el7.x86_64.rpm included along with the same grubby rpm (grubby-8.28-26.el7.x86_64.rpm), do not cause such failure in anaconda (version 21.48.22.159-1).
TrevorH

TrevorH

2021-08-02 16:48

manager   ~0038558

Wait. You're respinning the isos with a newer kernel? Don't do that. Add a new repo in your kickstart file with just the kernel packages in it. Leave the iso alone. Modifying it renders the entire thing unsupported.
swagh

swagh

2021-08-02 17:07

reporter   ~0038559

Hi @TrevorH. We aren't respinning ISOs by just replacing the kernel (or any other) rpm. We are creating repo using corresponding comps.xml and other essential steps in the process. This ISObuild approach has worked for as long as I can recall, so I'm curious to know why the inclusion of this specific patched kernel alone runs into this error.
ManuelWolfshant

ManuelWolfshant

2021-08-03 08:09

manager   ~0038563

Last edited: 2021-08-03 08:10

I am afraid we cannot really help you. We only support what we ship and specifically do not support either cherry picking updates or respinning ISOs.
You could try to raise the problem with RedHat via bugzilla.redhat.com but I am very much afraid you will receive the same answer.
Normally I'd close the ticket at this point but I find the issue intriguing and I will leave it open in case someone has useful ideas. I for one still believe you have a damaged rpm in there.
swagh

swagh

2021-08-04 00:43

reporter   ~0038567

Thanks for the help. It appears the problem disappeared when we updated a bunch of other rpms, so we're able to proceed for now & could close this ticket. It does not look like grubby rpm was at fault here, but would have definitely liked to understand the root cause of where the corruption could have happened or if there was some unfulfilled dependency that misled to this error.
For reference, here is the list of new rpms updated along with kernel which resolved the issue:
-dhclient-4.2.5-83.el7.centos.1
-dhcp-common-4.2.5-83.el7.centos.1
-dhcp-libs-4.2.5-83.el7.centos.1
-glib2-2.56.1-9.el7_9
-kernel-3.10.0-1160.36.2.el7
-kexec-tools-2.0.15-51.el7_9.3
-libsss_autofs-1.16.5-10.el7_9.8
-libsss_certmap-1.16.5-10.el7_9.8
-libsss_idmap-1.16.5-10.el7_9.8
-libsss_nss_idmap-1.16.5-10.el7_9.8
-libsss_sudo-1.16.5-10.el7_9.8
-python-sssdconfig-1.16.5-10.el7_9.8
-sssd-client-1.16.5-10.el7_9.8
-sssd-common-1.16.5-10.el7_9.8
-sssd-krb5-common-1.16.5-10.el7_9.8
-sssd-ldap-1.16.5-10.el7_9.8
-sssd-proxy-1.16.5-10.el7_9.8
-unzip-6.0-22.el7_9

Issue History

Date Modified Username Field Change
2021-07-27 18:34 swagh New Issue
2021-07-27 18:34 swagh Tag Attached: centos7
2021-07-27 18:34 swagh Tag Attached: kernel
2021-07-27 18:34 swagh Tag Attached: Linux
2021-07-27 18:34 swagh Tag Attached: security-vulnerability
2021-07-27 18:34 swagh File Added: Screen Shot 2021-07-23 at 11.15.54 AM.png
2021-08-02 12:03 ManuelWolfshant Note Added: 0038556
2021-08-02 16:46 swagh Note Added: 0038557
2021-08-02 16:48 TrevorH Note Added: 0038558
2021-08-02 17:07 swagh Note Added: 0038559
2021-08-03 08:09 ManuelWolfshant Note Added: 0038563
2021-08-03 08:10 ManuelWolfshant Note Edited: 0038563
2021-08-04 00:43 swagh Note Added: 0038567
2021-08-04 00:48 ManuelWolfshant Status new => closed
2021-08-04 00:48 ManuelWolfshant Resolution open => no change required