(slashdot)Package Managers As Achilles Heel

Mikkel L. Ellertson mikkel at infinity-ltd.com
Mon Aug 18 02:10:51 UTC 2008 

Joel Rees wrote:
> Just being alarmist, here,
> 
> On Aug 18, 2008, at 5:42 AM, Mikkel L. Ellertson wrote:
> 
>> Björn Persson wrote:
>>> Mikkel L. Ellertson wrote:
>>>> Marcelo M. Garcia wrote:
>>>>> http://it.slashdot.org/article.pl?sid=08/07/10/227220&from=rss
>>>> Two things bother me about this. First of all, most users are not
>>>> using the same mirror all the time, so there would only be a brief
>>>> window that the system would be vulnerable. The second thing is that
>>>> yum is not going to install an older package, and the package
>>>> version is not dependent on the file name. It is part of the
>>>> information in the RPM. So they could delay the installation of an
>>>> update on some systems. By default, yum picks a mirror at random
>>>> from the mirror list to help spread the load on the mirrors.
>>>
>>> I found this in their FAQ:
>>>
>>> | Q: I use a service that distributes my requests to different
>>> mirrors for my
>>> | distribution (like MirrorManager). That means I'm not vulnerable,
>>> right?
>>>
>>> | A: The good aspect of these systems is that it may spread your
>>> requests
>>> | across multiple mirrors in the normal case. However, when testing
>>> some of
>>> | these systems, we were able to target the clients that used our
>>> mirror and
>>> | exclude them from using other mirrors. This means that if an
>>> attacker wants
>>> | to target your organization, these services may help the attacker
>>> do so.
>>>
>>> It's not clear whether Yum is vulnerable to getting locked to the
>>> malicious
>>> mirror, or how they did it.
>>>
>>> Björn Persson
>>>
>> By default, the mirrir list is fetched from
>> http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch
>>
>> and a mirror is picked at random from the list. You can override the
>> mirror used with the fast-mirror plugin, or by editing the repo
>> configuration file. So yum is probably not one of the clients they
>> could do that to.
> 
> Can yum install something that would overwrite its own configuration file?
> 
Sure, if you have an RPM that overwrite the fedora-release RPM
(Fedora repo configs) or the yum RPM. Plus you can add repo's
besides the Fedora ones. But the packages have to be signed with a
key you have installed, and be a newer version then the ones you
have. The signature in the hard part. If you modify the RPM, the
signature will no longer be valid. You need the Fedora private
key(s) to resign them. So while it can be done, it would not be easy
- you would have to convince the administrator to install the RPM
ageist proper security practices. You have to override you to
install the bad package.

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20080817/517281ba/attachment-0001.bin

More information about the users mailing list