Re: (slashdot)Package Managers As Achilles Heel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Just being alarmist, here,

On Aug 18, 2008, at 5:42 AM, Mikkel L. Ellertson wrote:

Björn Persson wrote:
Mikkel L. Ellertson wrote:
Marcelo M. Garcia wrote:
http://it.slashdot.org/article.pl?sid=08/07/10/227220&from=rss
Two things bother me about this. First of all, most users are not
using the same mirror all the time, so there would only be a brief
window that the system would be vulnerable. The second thing is that
yum is not going to install an older package, and the package
version is not dependent on the file name. It is part of the
information in the RPM. So they could delay the installation of an
update on some systems. By default, yum picks a mirror at random
from the mirror list to help spread the load on the mirrors.

I found this in their FAQ:

| Q: I use a service that distributes my requests to different mirrors for my | distribution (like MirrorManager). That means I'm not vulnerable, right?

| A: The good aspect of these systems is that it may spread your requests | across multiple mirrors in the normal case. However, when testing some of | these systems, we were able to target the clients that used our mirror and | exclude them from using other mirrors. This means that if an attacker wants | to target your organization, these services may help the attacker do so.

It's not clear whether Yum is vulnerable to getting locked to the malicious
mirror, or how they did it.

Björn Persson

By default, the mirrir list is fetched from
http://mirrors.fedoraproject.org/mirrorlist?repo=fedora- $releasever&arch=$basearch
and a mirror is picked at random from the list. You can override the
mirror used with the fast-mirror plugin, or by editing the repo
configuration file. So yum is probably not one of the clients they
could do that to.

Can yum install something that would overwrite its own configuration file?

Now, if you used a DNS bug to hijack
mirrors.fedoraproject.org, then you could lock in the mirror used by
suppling a list that only contained pointers to the malicious mirror.

Mikkel
--

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux