Re: RPM roadmapping

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 30 Jul 2007, seth vidal wrote:

On Mon, 2007-07-30 at 21:03 +0300, Panu Matilainen wrote:
Yum could just as well support "yum install http://..../foo.rpm"; :)

Speaking of that, yum currently accesses package header before verifying
the signature, at least in the case of localinstall. I've some fuzzed
rpm's here that cause rpm to segfault if signature checking is
disabled as yum does... Dunno how exploitable that is in reality but there
is a potential vulnerability there anyway.

1. Can I get a copy of those rpms?
2. I've heard about the aforementioned mythic case of an exploit but
never actually seen one. I could be wrong but I thought the case that
was dangerous was not if gpg signature checking was disabled but if
header checking in general was disabled. Changing yum's opener for pkgs
so it does with hdr checking enabled is pretty simple to do - however,
it'd be nice if I had a replicating case to check it out with.

BTW if it's of any comfort, apt is guilty of the same thing. Doh :)

	- Panu -

--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux