LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Attacks on package managers

Attacks on package managers

Posted Apr 10, 2009 1:07 UTC (Fri) by Alan_Hicks (subscriber, #20469)
Parent article: Attacks on package managers

What in the world?!Slaktool is not the package management utility used by Slackware! In fact, it isn't even included in Slackware!

Justin Samuel said that he has the impression that the Slackware community is not currently focused on securing their package manager

It would help if he had actually reviewed pkgtool and its supporting utlities like installpkg and upgradepkg which are the real package manager for Slackware rather than some unsupported and (at least to me, a member of the Slackware core team) unheard of. There are lots of these third party tools, but few are included in Slackware. In fact, until very recently none were real parts of Slackware and had only ever been included in the extra/ subset, which is reserved for packages that aren't for testing/ but aren't yet dubbed worthy of being included in one of the disksets for various reasons.

Now, the -current branch includes slackpkg which is the only utility ever officially supported by Slackware or the "Slackware community" that handles automatic download and install/upgrade of packages. This seems to me to be the method by which most of these such vulnerabilities could be exploited. Traditionally, packages had to be downloaded via another utility such as wget, then the user could verify the md5sum or the integrity against a .asc file using RSA. slackpkg should support this in the future. It currently is capable only of downloading the GPG public key used to sign the packages. Future versions of slackpkg should be able to check the downloaded package against the RSA signature in the .asc files and the project's public key.

So in short, Mr. Samuel is dead wrong on a number of levels for simply reviewing the wrong thing. This causes me to question how much diligence he put forth into this review. Had he taken the time to determine what is actually included in Slackware and supported by the community, he might have taken away an entirely different impression.

P.S. Shame on the editors for not catching that Slaktool isn't a part of Slackware at all, but that's forgiveable. After all, this is still the damned best source for news in the open source community.

(Log in to post comments)

slackpkg

Posted Apr 10, 2009 23:57 UTC (Fri) by Justin_Samuel (guest, #57967) [Link]

We apologize for looking at the wrong tool and want to thank you for correcting us. When we did our initial work over a year ago, we incorrectly concluded that slaktool was the primary package manager. This is something we clearly should have discovered and corrected when reexamining package managers.

We have examined slackpkg and have sent a list of important security vulnerabilities to the Slackware security team. We'll wait a little while to make the specifics public but the security flaws are impactful, easy to exploit, and in the same vein as the issues we've mentioned for other package management tools.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds