RPM Fusion, wiki defacement, and bug reporting
There are lots of ways to alert a project to a perceived security problem, but defacing its wiki is not high on anyone's preference list. Doing so does have one advantage, however: raising the visibility of the complaint—unfortunate though that may be. So, on the one hand, it is a truly obnoxious act, but on the other it draws attention to a problem that may have been languishing. A recent incident with the RPM Fusion project is a perfect demonstration of that.
RPM Fusion maintains a repository of RPMs for Fedora and Red Hat Enterprise Linux (RHEL). Those RPMs are for packages that Red Hat cannot or will not distribute for various reasons, typically legal issues such as patents. So, things like multimedia codecs, game system emulators, proprietary graphics drivers, and so on will be found in the repository. Three early repositories, Livna, Freshrpms, and Dribble, came together in 2007 to form RPM Fusion.
Users who wish to view internet videos or listen to MP3 files on their Fedora systems are likely to have added RPM Fusion as a source in their /etc/yum.repos.d directory by following the instructions on the RPM Fusion wiki. But those instructions were the target of some defacement on July 26.
A look at the history of the page shows multiple edits from Nikita Churaev (aka lamefun.x0r), interspersed with reverts from Nicolas Chauvet and Jonathan Dieter. The first change was evidently a test to see if a new user could edit the wiki to alter the download links for the packages that "install" RPM Fusion (i.e. place it into the system's Yum repository list). When that was successful, Churaev filed a bug in the project's Bugzilla noting that the initial download (install) of RPM Fusion is insecure. More defacement followed.
The complaints listed in the bug are quite sensible. Anyone can go in and change the wiki links, key IDs, key fingerprints, etc., to lead users to install malware. Even if those malicious edits are noticed and reverted quickly, there is still a window in time where users could be fooled. In addition, anyone can upload a GPG key to the public key servers that purports to be from the RPM Fusion project, so a malicious key that was listed on the wiki could easily be made to pass some basic sanity checks.
One possible malicious scenario would be for an attacker to change the key ID and fingerprints on the wiki to those of keys controlled by the attacker. Then, switching the links to the install packages to malicious versions would lead (some) users to download and install them, which would place the attacker's repository into the Yum configuration. That would allow the attacker to provide a steady stream of malware to the user that was disguised as RPM Fusion packages and all, seemingly, signed with an RPM Fusion key. There are other ugly possibilities too, of course.
One major underlying problem is that the wiki is not accessible over HTTPS, which allows for man-in-the-middle attacks. Clients using SSL/TLS (and checking the validity of the certificate) would be able to ensure that the web page data was coming from the project if that were offered. HTTPS wouldn't, of course, solve the problem of anyone being able to alter the wiki, but a static page or two with the key information that was served up over HTTPS would go a long way toward solving the problems Churaev is reporting.
In fact, an earlier bug filed by Churaev is explicit about that. That bug was filed at the end of 2012 and has seemingly not been touched since. More than a year and a half without any action on the bug appears to have been something of a trigger that led to the wiki defacement (which branched out further, to the wiki front page as well).
Dieter posted to the developers mailing list about the defacement problem. He recommended that the wiki be locked down. But Churaev was not impressed with that response, noting that the defacement problem had happened before, which should have served as a wakeup call. The thread died there, however, after two messages, which should probably be a bit worrisome to those who use RPM Fusion.
As Dieter pointed out in a comment on the most recent bug, though, insulting the project and defacing the wiki are not actually helping to solve the problems Churaev has identified. In fact, that kind of activity is counterproductive:
He went on to list some ideas for ways that Churaev could improve the situation. Others also commented on the bug report, expressing interest in helping to pay for an SSL certificate if that is what is needed. But, again, there was no official response. The bug is open, but so is the wiki. Project leaders are either not paying attention or not taking any visible action. That also should be a bit worrisome to users of the repository.
That's the real crux of the issue, in the end. It would seem that there have been a number of incidents (other defacements, Churaev's original bug report) that should have spurred action on these problems, but hasn't, for whatever reason. There probably isn't too much danger for attentive users, who are knowledgeable about keys, signatures, and the like, but the risk is certainly not zero. For less technical users, who might just follow instructions somewhat blindly, the risk is substantially higher—while still perhaps being fairly low in the grand scheme of things.
But the attitude of the project leaders matters. Even volunteers have some responsibility to secure their public sites, or to at least warn users of the risks. So far, at least, RPM Fusion has seemingly done neither. Those who use its repositories will want to keep that in mind.
It's a little hard to decide what to think of Churaev's role here. The
situation is,
in some ways, akin to companies that have vulnerabilities reported to them,
but fail to take any action. In the past, that has led some to forgo the
"responsible disclosure" path and simply to publicly report any bugs found.
That
is essentially what Churaev has done here—more or less, anyway. Will it
lead to changes in the distribution of RPM Fusion's keys (at least)? It's
an open question that is now at least more prominent than it had been ...
| Index entries for this article | |
|---|---|
| Security | Bug reporting |
| Security | Distribution security |
Posted Jul 31, 2014 7:58 UTC (Thu)
by shalem (subscriber, #4062)
[Link] (4 responses)
Posted Aug 2, 2014 23:39 UTC (Sat)
by Tara_Li (guest, #26706)
[Link]
Posted Aug 4, 2014 5:21 UTC (Mon)
by jdieter (subscriber, #42216)
[Link] (1 responses)
Posted Aug 4, 2014 7:26 UTC (Mon)
by shalem (subscriber, #4062)
[Link]
Posted Aug 9, 2014 5:23 UTC (Sat)
by fn77 (guest, #74068)
[Link]
I get a SSL error:
[...]
Whatever, got subscribed on sysadmin and the confirmation email went on the spam bin at gmail. Confirmed that, other steps for me to follow?
Posted Aug 3, 2014 21:56 UTC (Sun)
by marcH (subscriber, #57642)
[Link] (2 responses)
Like for instance... publishing public keys and other critical information anywhere but on a completely insecure wiki? The most basic (and free) Google doc looks far more secure than this. It does not look like the wiki page should have been reverted, it should rather have been deleted!
Posted Aug 11, 2014 23:36 UTC (Mon)
by derekp7 (guest, #98286)
[Link] (1 responses)
Posted Aug 12, 2014 8:24 UTC (Tue)
by marcH (subscriber, #57642)
[Link]
Posted Aug 4, 2014 2:08 UTC (Mon)
by sitaram (guest, #5959)
[Link] (7 responses)
As for the comment that rpmfusion lacks manpower, that is common everywhere. They need to prioritise. I have no idea what *else* they do, and I am sure it is a lot, but this kind of issue must come first, even if the latest update to vlc (to use a totally not-random example) is a little delayed.
As of August 2nd, there appear to be some "ACLs" added. It would be interesting to know how much effort this was, and if not much, why it was not done as soon as Churaev first "defaced" the page.
Posted Aug 4, 2014 6:26 UTC (Mon)
by marcH (subscriber, #57642)
[Link] (6 responses)
... and one effective way to prioritize is NOT to do something quick/dirty/insecure/short-sighted/etc. In this example, it's most likely that someone will volunteer to implement something correctly if this important information is not published anywhere. As it stands almost everyone (but Churaev) must believe that the wiki is either secure or "insecure by design".
I find that the "short on manpower" (and very valid) argument is never good enough to justify doing something very quick and dirty and damaging - of course unless you are *paid* to do it by some mad deadline.
Posted Aug 4, 2014 6:32 UTC (Mon)
by sitaram (guest, #5959)
[Link] (5 responses)
That is what I meant when I said "Considering the history of ignored issues". Clearly your rationale doesn't apply, and that if you leave it to the "don't do anything rash" camp it just devolves to "don't do anything".
Posted Aug 5, 2014 7:51 UTC (Tue)
by marcH (subscriber, #57642)
[Link] (4 responses)
I don't think you understood me: I suggested to *delete* this information from the insecure and hackable wiki. Strip the several years old band-aid.
Posted Aug 5, 2014 9:21 UTC (Tue)
by sitaram (guest, #5959)
[Link] (3 responses)
But deletions can be reverted just as easily as changes to text, so I'm not sure if the end result would be any different than what it is now.
Posted Aug 9, 2014 5:27 UTC (Sat)
by fn77 (guest, #74068)
[Link]
Posted Aug 9, 2014 20:39 UTC (Sat)
by mathstuf (subscriber, #69389)
[Link] (1 responses)
Posted Aug 10, 2014 1:09 UTC (Sun)
by mathstuf (subscriber, #69389)
[Link]
RPM Fusion, wiki defacement, and bug reporting
RPM Fusion, wiki defacement, and bug reporting
RPM Fusion, wiki defacement, and bug reporting
RPM Fusion, wiki defacement, and bug reporting
RPM Fusion, wiki defacement, and bug reporting
You attempted to reach lists.rpmfusion.org, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may...
[...]
RPM Fusion, wiki defacement, and bug reporting
RPM Fusion, wiki defacement, and bug reporting
RPM Fusion, wiki defacement, and bug reporting
RPM Fusion, wiki defacement, and bug reporting
RPM Fusion, wiki defacement, and bug reporting
RPM Fusion, wiki defacement, and bug reporting
RPM Fusion, wiki defacement, and bug reporting
That should be painful enough to attract attention.
RPM Fusion, wiki defacement, and bug reporting
RPM Fusion, wiki defacement, and bug reporting
RPM Fusion, wiki defacement, and bug reporting
RPM Fusion, wiki defacement, and bug reporting