On 2012-08-18 12:39, Jesse Keating wrote:
On 08/17/2012 07:33 PM, John Reiser wrote:
After further review, I agree that such an exploit almost certainly
did *not* happen to me today. I have no direct evidence that it
did.
I was not running a network sniffer at the time, any logs were
erased
because of early termination of the install, I am not running secure
DNS
and have not audited my DNS recently, etc. [Also, if the exploit
were
really good, then logs would have been whitewashed, etc.]
Other factors ("transient events", logic bugs, etc.) are sufficient
to explain the behavior that I observed. I apologize for any
unnecessary alarm that my post may have caused.
However, my review confirms that such an exploit *could* occur.
One weak spot is the use of http:// instead of https:// in
http://dl.fedoraproject.org/pub/alt/stage/18-Alpha-TC3/
and below, together with the non-signed
http://dl.fedoraproject.org/pub/alt/stage/18-Alpha-TC3/Fedora/x86_64/iso/Fedora-18-Alpha-TC3-x86_64-CHECKSUM
These are enough to enable an attacker to replace the entire
contents of
http://dl.fedoraproject.org/pub/alt/stage/18-Alpha-TC3/Fedora/x86_64/iso/Fedora-18-Alpha-TC3-x86_64-netinst.iso
and its line in *-CHECKSUM without cryptographic discovery.
You are correct. Somebody could use dns poisoning or other tools to
redirect you to their site, replace the isos with their own and
regenerate the checksum file. For the test composes we don't
typically sign the checksum file, but we will for alpha/beta/final.
For the record, it used to be the case that the TC / RC builds never
got outside of the Red Hat VPN. It used to not really make sense given
the nexus between how quickly TC/RC builds increment, and the time it
took to upload them to a publicly available location. A few releases
back we decided it made sense and we now had the resources to make them
'publicly' available, but they really aren't official 'releases' in any
sense, they are test builds that exist for the sole purpose of
validation by the Fedora QA team. In other words, you certainly
shouldn't use them for anything important. The system by which we make
them available was pretty much thrown together on the fly and isn't much
more sophisticated than 'dump them in some handy publicly available
directory', which is why it's not terribly secure. Given that we've been
doing things this way for several releases now it seems like it's an
accepted procedure, so it probably would make sense to tighten up on it
a little - publish https rather than http links, and sign the checksum
files, if it's not too difficult.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net
_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
