User: Password:
Subscribe / Log in / New account

Attacks on package managers

Attacks on package managers

Posted Apr 9, 2009 4:57 UTC (Thu) by mdomsch (subscriber, #5920)
Parent article: Attacks on package managers

In Fedora 11 (currently rawhide), many of these concerns have been addressed.

* The mirrorlist is obtained via https.

* The mirrorlist is in the form of a metalink file, which lists the MD5, SHA1, SHA256, and SHA512 digests for the root repomd.xml file (yum uses the SHA256 digest by default now). If the digest doesn't match, yum refuses to use the file.

* In addition, to prevent a maliciously stale mirror from being used, the mirrorlist contains the timestamp of the repomd.xml file, and in fact a list of such timestamps dating back at most one week (adjustable on the mirrorlist server). Yum will then refuse to honor a repomd.xml file that is stale.

This provides against a man-in-the middle attack, a mirror having an invalid repo, and maliciously stale mirrors.

I believe that yum's HTTPS support does not yet do certificate validation, so is still vulnerable to DNS spoofing.

(Log in to post comments)

Attacks on package managers

Posted Apr 11, 2009 4:03 UTC (Sat) by lurk546 (subscriber, #17438) [Link]

Unsigned packages occasionally show up on the released versions of Fedora, but they tend to be the exception.

Unfortunately I ran across a lot of unsigned packages whie testing Fedora 11 Beta today. Apparently it's a big enough problem that the default repository is set to not check gpg signatures of packages. I tried turning it on and using the other repositories for fedora 11 , but I ran into a lot of packages that would not install because of GPG signature problems.

This seems like an important flaw to fix considering a significant fraction of rawhide users are likely to be package developers and may perhaps have access to some important servers.

I hope this was only changed due to issues regarding the switch to the new hash, and will be corrected quickly.

Re: Attacks on package managers

Posted Apr 14, 2009 19:10 UTC (Tue) by nevyn (guest, #33129) [Link]

Duh, rawhide isn't signed. Fedora only signs the releases (what normal people use). However in current rawhide they also have metalink to provide security (sha256 hashes of everything) of the repodata.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds