Re: 0-day exploit in anaconda

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/17/2012 03:53 PM, John Reiser wrote:
Last night and this morning, I ran Fedora 18-Alpha-TC3 netinst.iso (x86_64)
burned to DVD, and met the bug  https://bugzilla.redhat.com/show_bug.cgi?id=849211 .
About 40 minutes ago, I re-ran the DVD but the bug had been fixed.

I never explicitly approved any Fedora 18 package signing key.
I believe that none (zero) of the current "Fedora 18" [rawhide] packages have been signed.
The download files from directory link
    http://dl.fedoraproject.org/pub/alt/stage/18-Alpha-TC3/Fedora/x86_64/iso/
are not accessed by the secure protocol
    https:// .
There is a *-CHECKSUM given, but it is not signed, either.

The fix for the bug 849211 was automatically downloaded and installed, insecurely.
That's just a short step away from a 0-day exploit in the installer.


What evidence do you have that anything was downloaded and installed? Are you sure it wasn't just a transient or timing bug that didn't happen a second time around? Or there was some unknown trigger that is different the second time around? Please show us some sort of evidence of any sort of download and application of updated content for the installer.

The only mechanism we have in place for that is updates images, which you have to explicitly ask for.

Putting aside that question, the packages for F18 are indeed signed.

--
Jesse Keating
Fedora -- Freedom² is a feature!

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list



[Index of Archives]     [Kickstart]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]
  Powered by Linux