LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

But if mirrors are randomized and yum won't downgrade?

But if mirrors are randomized and yum won't downgrade?

Posted Apr 9, 2009 3:29 UTC (Thu) by JoeBuck (subscriber, #2330)
Parent article: Attacks on package managers

With Fedora, yum selects a mirror at random, and if I understand correctly, yum won't do a downgrade by default. So it would seem that taking over one mirror would not be enough: you might be able to get a system that didn't have a vulnerable package at all to install it, but how would you turn it on (if it's a service)? If the attacker is limited to shipping signed packages, the opportunities seem limited given that yum won't downgrade and the user will occasionally hit other mirrors, which would upgrade past the insecure package.

On the other hand, using the yum-fastestmirror plugin would make you vulnerable to the security of your fastest (usually your nearest) mirror.

I suppose the paranoid could write a yum plugin that checks at least three mirrors looking for newest versions of a package.

(Log in to post comments)

But if mirrors are randomized and yum won't downgrade?

Posted Apr 10, 2009 17:55 UTC (Fri) by smoogen (subscriber, #97) [Link]

The attack would be the following.

1) Set up a mirror and register that you offer mirror services for XYZ networks or domains (This mirror will work for .gov.edu. and boxes from 10.1.0.0). The ability to say that you give preference to networks or domains helps get clients faster downloads but has its downside.

2) For most people have a real mirror that they can get packages from. For the specific subnet/domain have it log and see what is asked for. With a profile you can see how successful a trojan set will work.

3) Wait for A client to get to you eventually. The best bet would be to eventually wait for the guy who turned off various gpgcheck etc in their yum updates because they had a problem sometime in the past and who needs it.

4) Have your trojan app replace some config files and start slowly probing the network it is on to find out what it can spread. <EG Profit>

But if mirrors are randomized and yum won't downgrade?

Posted Apr 11, 2009 6:49 UTC (Sat) by tzafrir (subscriber, #11501) [Link]

Can a mirror tell if a client turned off GPG check?

But if mirrors are randomized and yum won't downgrade?

Posted Apr 13, 2009 2:14 UTC (Mon) by mdomsch (subscriber, #5920) [Link]

No, mirrors cannot know if a client has turned on or off gpg checking.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds