| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpm: code execution
(Log in to post comments)
rpm: code execution Posted Apr 5, 2012 8:58 UTC (Thu) by epa (subscriber, #39769) [Link]
Yow! That's a big one. Perhaps the Debian people were right all along that signature validation should not be part of the package manager, but should be performed using a separate tool (such as gpg) as a first step.
rpm: code execution Posted Apr 5, 2012 18:26 UTC (Thu) by amacater (subscriber, #790) [Link]
Possibly another reason not to trust Red Hat and derivatives. Compromise of signing keys on several occasions for Red Hat and Fedora with various levels of disclosure of vulnerabilities thereafter: now not checking the signing keys properly for installation. The derivatives have fixed this almost as quickly as their commercial upstream distribution on this occasion, thankfully
rpm: code execution Posted Apr 5, 2012 19:52 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]
Your understanding is incorrect. Red Hat signing key compromise didn't happen on several occasions. Just once and details are at http://rhn.redhat.com/errata/RHSA-2008-0855.html. Fedora infrastructure was compromised at the same time but not the signing keys.
https://www.redhat.com/archives/fedora-announce-list/2008...
"It is important to note that the effects of the intrusion on Fedora and
rpm: code execution Posted Apr 5, 2012 22:14 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]
> Your understanding is incorrect.
we'll see about that ;).
> Red Hat signing key compromise didn't happen on several occasions.
i'm sure they'd be really glad to know that for sure but as these things tend to stand, they cannot know that so you can't know that either.
> Just once
you mean one compromise became public enough that it couldn't be swept under the carpet.
> and details are at http://rhn.redhat.com/errata/RHSA-2008-0855.html.
there're no details about the compromise and that on-going investigation seems to have never finished as 4 years after we still don't know what exactly happened (hello kernel.org). yes, you don't know that either.
rpm: code execution Posted Apr 5, 2012 23:47 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]
Even if one can take your argument that anything might have happen any number of times and nobody knows anything for sure, anyone is still wrong to make a claim without any evidence and I stand by my point that he has merely misunderstood what he has read especially since he also claimed Fedora signing keys were also compromised.
rpm: code execution Posted Apr 6, 2012 14:36 UTC (Fri) by PaXTeam (subscriber, #24616) [Link]
but you see the problem with your claims is that you didn't present any evidence, therefore you're wrong by your own opinion ;). speaking of the news item you cited, it doesn't actually say that the Fedora signing key remained safe and in fact had there been 100% assurance of that fact, no key changes would have been necessary.
rpm: code execution Posted Apr 7, 2012 5:29 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link]
You are not that naive. Proving a negative is not possible. Keys got changed as a precaution which again I am sure you were already aware of.
rpm: code execution Posted Apr 7, 2012 19:28 UTC (Sat) by PaXTeam (subscriber, #24616) [Link]
> You are not that naive.
let's keep this civil ;).
> Proving a negative is not possible.
actually, it depends. i'm pretty sure you could prove that no numbers in the set of the integer powers of 2 are divisible by 3. besides, you're basically saying that you wanted to contradict the OP by making an unprovable statement.
> Keys got changed as a precaution which again I am sure you were already aware of.
i know what they said but that's not what *you* said. you made the blanket statement (again, to contradict the OP) that the Fedora signing key wasn't compromised. not even the Fedora guys dared to make such a statement, why did you then?
rpm: code execution Posted Apr 7, 2012 20:33 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link]
OP made a claim without evidence. I asserted it is not true because there is no reasonable evidence for it. Beyond that, I am not really interested in "100% proofs".
rpm: code execution Posted Apr 7, 2012 21:35 UTC (Sat) by PaXTeam (subscriber, #24616) [Link]
you didn't simply disagree with him, you flat out made a counter-claim - without evidence. not exactly a convincing style of discussion, if you ask me ;). second, you're actually wrong about
> OP made a claim without evidence.
the reason for that is simple: when RH/Fedora guys learned of the compromise, they got irrefutable evidence that 1. such a stunt was actually possible, 2. at least one had entity successfuly pulled it off. from this any incident responder will conclude that it must have then been possible for other entities as well and that is actually the reason for the Fedora keychange (RH's saving grace was the HSM): they did *not* have the option/choice of not changing the signing key, they *had* to do it because at that point someone else may have very well had been signing fake packages left and right. to conclude, the OP has every reason to suspect more than one compromise, down to the signing key just because it had actually occured once in the past already. yes that also means that all this package signing security buys one only so much.
rpm: code execution Posted Apr 8, 2012 1:58 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]
You didn't ask OP for any evidence for his claim that Fedora keys were compromised. So I don't find your style convincing either. The latter part is just speculation and you are free to engage in it.
rpm: code execution Posted Apr 8, 2012 18:55 UTC (Sun) by PaXTeam (subscriber, #24616) [Link]
> You didn't ask OP for any evidence for his claim that Fedora keys were compromised.
why would i have asked him/her if i fundamentally find no fault with his/her thinking? (i explained in previous posts why)
> So I don't find your style convincing either.
for that matter you didn't ask OP *anything* either, you went for a straight counterclaim (more like speculation, really), so it seems you don't find your own style convincing either ;).
> The latter part is just speculation and you are free to engage in it.
it's no less speculation than your own speculation (or as any security profession would call it, wishful thinking ;).
rpm: code execution Posted Apr 8, 2012 20:50 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]
If you find no fault with someone who makes a claim about keys being compromised and multiple compromises without any evidence but choose to interject your own overreaching hypothesis to justify it, I have nothing further to discuss. Good luck with wishful thinking.
rpm: code execution Posted Apr 8, 2012 21:07 UTC (Sun) by PaXTeam (subscriber, #24616) [Link]
so in the end you fault others for what you yourself have done and at the same time not understand why your 'no other compromise ever' claim is wishful thinking. i rest my case ;).
rpm: code execution Posted Apr 8, 2012 23:03 UTC (Sun) by rahulsundaram (subscriber, #21946) [Link]
You engage in false equivalence knowingly (any claim of multiple compromises without evidence is unjustified while it is not possible to ever show that any system has never been compromised). So yes, you are engaging in wishful thinking and I don't buy your argument nor am I convinced by your style. So we can agree to disagree. I rest my case too :-)
rpm: code execution Posted Apr 6, 2012 15:56 UTC (Fri) by amacater (subscriber, #790) [Link]
OK. My memory may be fallible. Red Hat infrastructure was compromised on at least one occasion; Signing key infastructure was compromised at that time - "dodgy packages" were purportedly signed, IIRC.
Fedora infrastructure was compromised at some separate time: hence the one Fedora instance where there were two sets of packages - one from "old key" one from "new key".
My comment was from memory: but there was more than one occasion, as I recalled.
rpm: code execution Posted Apr 7, 2012 5:34 UTC (Sat) by rahulsundaram (subscriber, #21946) [Link]
Not separate time but same. Also, There is no evidence of Fedora signing keys ever been compromised. Fedora did change it as a additional security measure. As to your memory of being more than one such instance I have to say it is faulty
rpm: code execution Posted Apr 5, 2012 19:27 UTC (Thu) by raven667 (subscriber, #5198) [Link]
This looks like a garden variety buffer overflow, a mistake which could be made in any code. It would be interesting to know if this was found due to exploits in the wild or, more likely, a code audit.
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||