Re: (slashdot)Package Managers As Achilles Heel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Just being alarmist, here,

On Aug 18, 2008, at 5:42 AM, Mikkel L. Ellertson wrote:


Björn Persson wrote:

Mikkel L. Ellertson wrote:

Marcelo M. Garcia wrote:

http://it.slashdot.org/article.pl?sid=08/07/10/227220&from=rss

Two things bother me about this. First of all, most users are not
using the same mirror all the time, so there would only be a brief
window that the system would be vulnerable. The second thing is that
yum is not going to install an older package, and the package
version is not dependent on the file name. It is part of the
information in the RPM. So they could delay the installation of an
update on some systems. By default, yum picks a mirror at random
from the mirror list to help spread the load on the mirrors.


I found this in their FAQ:
| Q: I use a service that distributes my requests to different mirrors for my | distribution (like MirrorManager). That means I'm not vulnerable, right?
| A: The good aspect of these systems is that it may spread your requests | across multiple mirrors in the normal case. However, when testing some of | these systems, we were able to target the clients that used our mirror and | exclude them from using other mirrors. This means that if an attacker wants | to target your organization, these services may help the attacker do so.
It's not clear whether Yum is vulnerable to getting locked to the malicious 
mirror, or how they did it.

Björn Persson


By default, the mirrir list is fetched from
http://mirrors.fedoraproject.org/mirrorlist?repo=fedora- $releasever&arch=$basearch 
and a mirror is picked at random from the list. You can override the
mirror used with the fast-mirror plugin, or by editing the repo
configuration file. So yum is probably not one of the clients they
could do that to.
Can yum install something that would overwrite its own configuration file? 


Now, if you used a DNS bug to hijack
mirrors.fedoraproject.org, then you could lock in the mirror used by
suppling a list that only contained pointers to the malicious mirror.

Mikkel
--

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list



--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux