On Wed, 2003-01-15 at 14:10, R P Herrold wrote: > On Wed, 15 Jan 2003, Michael A. Peterson wrote: > > > May I suggest that yum checks that the downloaded header file is not just > > a 404 error from the web server? :) > > Certainly -- lots of good coding parctice options exist -- > also check that size is non-zero; and here, that the gzip CRC > checksum is intact, and later, that the header has all four > fields of another version. We are spoiled by the robustmess > of the internet as a transport, when stuff mostly works. > rereading these messages I think I know what I'd like to do for this. for headers: - check that they can be opened and read by rpm - make sure the name, arch match what they contain when you read that data from the header for header.info - see if it is non-zero in size - if so, read for useful content, if I can't parse line one then bail on that repository (maybe exit entirely?) - if I can parse the line then continue - if it's zero in size, warn and continue w/the next repository. > But there are evil people out there, and yum headers are not > GPG signed -- It seems there are possibilities for exploits > which could be forged and pushed out if a yum mirror were > compromised, and cleverly written rogue content .hdr's were > substituted; as was the case with the tcpdump, and sendmail > mirrors in recent months ... a good gzip checksum should be > trivial to forge -- maybe more is needed to confirm the > 'goodness' of a header still. Food for thought. rpm 4.2 can have signed headers - I've thought about this as one option. However, What real security problem could occur with a forged header and NOT a forged rpm? I tried to come up with a situation and the only thing I could think of was maybe stopping a system from being upgraded. or MAYBE causing yum to think something obsoleted something else - but even so rpm wouldn't obsolete the pkg. Can you come up with a theoretical case? -sv
