Re: apology: no actual 0-day exploit in anaconda

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2012-08-18 12:39, Jesse Keating wrote:
On 08/17/2012 07:33 PM, John Reiser wrote:
After further review, I agree that such an exploit almost certainly
did *not* happen to me today. I have no direct evidence that it did. I was not running a network sniffer at the time, any logs were erased because of early termination of the install, I am not running secure DNS and have not audited my DNS recently, etc. [Also, if the exploit were
really good, then logs would have been whitewashed, etc.]
Other factors ("transient events", logic bugs, etc.) are sufficient
to explain the behavior that I observed.  I apologize for any
unnecessary alarm that my post may have caused.

However, my review confirms that such an exploit *could* occur.
One weak spot is the use of http:// instead of https:// in
    http://dl.fedoraproject.org/pub/alt/stage/18-Alpha-TC3/
and below, together with the non-signed
http://dl.fedoraproject.org/pub/alt/stage/18-Alpha-TC3/Fedora/x86_64/iso/Fedora-18-Alpha-TC3-x86_64-CHECKSUM These are enough to enable an attacker to replace the entire contents of http://dl.fedoraproject.org/pub/alt/stage/18-Alpha-TC3/Fedora/x86_64/iso/Fedora-18-Alpha-TC3-x86_64-netinst.iso
and its line in *-CHECKSUM without cryptographic discovery.

You are correct.  Somebody could use dns poisoning or other tools to
redirect you to their site, replace the isos with their own and
regenerate the checksum file.  For the test composes we don't
typically sign the checksum file, but we will for alpha/beta/final.

For the record, it used to be the case that the TC / RC builds never got outside of the Red Hat VPN. It used to not really make sense given the nexus between how quickly TC/RC builds increment, and the time it took to upload them to a publicly available location. A few releases back we decided it made sense and we now had the resources to make them 'publicly' available, but they really aren't official 'releases' in any sense, they are test builds that exist for the sole purpose of validation by the Fedora QA team. In other words, you certainly shouldn't use them for anything important. The system by which we make them available was pretty much thrown together on the fly and isn't much more sophisticated than 'dump them in some handy publicly available directory', which is why it's not terribly secure. Given that we've been doing things this way for several releases now it seems like it's an accepted procedure, so it probably would make sense to tighten up on it a little - publish https rather than http links, and sign the checksum files, if it's not too difficult.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list


[Index of Archives]     [Kickstart]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]
  Powered by Linux