(slashdot)Package Managers As Achilles Heel
Björn Persson
bjorn at xn--rombobjrn-67a.se
Sun Aug 17 19:56:55 UTC 2008
Mikkel L. Ellertson wrote:
> Marcelo M. Garcia wrote:
> > http://it.slashdot.org/article.pl?sid=08/07/10/227220&from=rss
>
> Two things bother me about this. First of all, most users are not
> using the same mirror all the time, so there would only be a brief
> window that the system would be vulnerable. The second thing is that
> yum is not going to install an older package, and the package
> version is not dependent on the file name. It is part of the
> information in the RPM. So they could delay the installation of an
> update on some systems. By default, yum picks a mirror at random
> from the mirror list to help spread the load on the mirrors.
I found this in their FAQ:
| Q: I use a service that distributes my requests to different mirrors for my
| distribution (like MirrorManager). That means I'm not vulnerable, right?
| A: The good aspect of these systems is that it may spread your requests
| across multiple mirrors in the normal case. However, when testing some of
| these systems, we were able to target the clients that used our mirror and
| exclude them from using other mirrors. This means that if an attacker wants
| to target your organization, these services may help the attacker do so.
It's not clear whether Yum is vulnerable to getting locked to the malicious
mirror, or how they did it.
Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20080817/69318fdb/attachment-0001.bin
More information about the users
mailing list