On Thu, Nov 19, 2009 at 04:36:27AM -0500, Ricky Zhou wrote: > On 2009-11-19 10:23:53 AM, Till Maas wrote: > > So at least one major security protection measure is not in place and > > attackers can create their own repositories with signed packages that > > have well known security flaws, e.g. a package with a bad setuid root > > binary, and install it, if it is not already installed in a newer > > version. > I might be wrong on this, but wouldn't the attacker need to trick > yum/packagekit into using the malicious repo first? I didn't think that > was allowed for non-root users. Yes packagekit must be tricked into using the malicious repo, but this is not something that needs to be done on the system, but can also be done by an MITM attack on the network traffic or compromising DNS. > Note that even if the repomd.xml files were signed, it'd be easy for an > attacker to just take an old one with a valid signature and host a repo > with outdated packages. I thought metalink > (https://mirrors.fedoraproject.org/metalink?repo=updates-released-f12&arch=x86_64) > over https was supposed to address the problem of outdated repos though. It seems that at least the information provided in the metalink is enough to perform proper verification and deny outdated repositories, since there are timestamps and secure hashes provided for the repomd.xml file. But there might be still a problem with third party repositories, if they do not use metalink. And if the metalink information is not used in a secure way by yum. Regards Till
Attachment:
pgpLZagFlmKG9.pgp
Description: PGP signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list