On Wed, 04 Aug 2010 22:03:14 +0200
Till Maas <opensource(a)till.name> wrote:
On Wed, Aug 04, 2010 at 09:42:01AM -0700, Adam Williamson wrote:
> I suspect it might short-circuit the 'ahhh, but what about...'
> 'oooh, but then I can...' nature of the conversation if you just
> put together a proof-of-concept attack and document it somewhere. I
> suspect the git maintainers might be interested at that point as
> well. :)
The attack is quite trivial:
1) clone the git pkg Fedora repos
2) commit some nasty change
3) publish the repo on some server
4) if the victim wants to fetch from the Fedora pkg repo, use the MITM
attack to make him fetch from the server set up in step 3. Steps 1-3
can obviously be done on-demand.
If this is e.g. done on a conference / FUDCon / Fedora Action Day, the
attack can easily targeted to make the change in step 2 be expected to
be fast forward. E.g. if packages simply need to be bumped for a
rebuild, a upload of a bad tarball and modification of the sources
file might be unnoticed.
Just to clarify, as this is a long thread:
This only works if people are using git:// urls, not the default for
fedora ssh: ones, right? (provided you have connected before to
pkgs.fedoraproject.org and have the known_hosts entry?)
kevin