(slashdot)Package Managers As Achilles Heel

Joel Rees joel.rees at gmail.com
Mon Aug 18 01:43:40 UTC 2008 

Just being alarmist, here,

On Aug 18, 2008, at 5:42 AM, Mikkel L. Ellertson wrote:

> Björn Persson wrote:
>> Mikkel L. Ellertson wrote:
>>> Marcelo M. Garcia wrote:
>>>> http://it.slashdot.org/article.pl?sid=08/07/10/227220&from=rss
>>> Two things bother me about this. First of all, most users are not
>>> using the same mirror all the time, so there would only be a brief
>>> window that the system would be vulnerable. The second thing is that
>>> yum is not going to install an older package, and the package
>>> version is not dependent on the file name. It is part of the
>>> information in the RPM. So they could delay the installation of an
>>> update on some systems. By default, yum picks a mirror at random
>>> from the mirror list to help spread the load on the mirrors.
>>
>> I found this in their FAQ:
>>
>> | Q: I use a service that distributes my requests to different  
>> mirrors for my
>> | distribution (like MirrorManager). That means I'm not  
>> vulnerable, right?
>>
>> | A: The good aspect of these systems is that it may spread your  
>> requests
>> | across multiple mirrors in the normal case. However, when  
>> testing some of
>> | these systems, we were able to target the clients that used our  
>> mirror and
>> | exclude them from using other mirrors. This means that if an  
>> attacker wants
>> | to target your organization, these services may help the  
>> attacker do so.
>>
>> It's not clear whether Yum is vulnerable to getting locked to the  
>> malicious
>> mirror, or how they did it.
>>
>> Björn Persson
>>
> By default, the mirrir list is fetched from
> http://mirrors.fedoraproject.org/mirrorlist?repo=fedora- 
> $releasever&arch=$basearch
> and a mirror is picked at random from the list. You can override the
> mirror used with the fast-mirror plugin, or by editing the repo
> configuration file. So yum is probably not one of the clients they
> could do that to.

Can yum install something that would overwrite its own configuration  
file?

> Now, if you used a DNS bug to hijack
> mirrors.fedoraproject.org, then you could lock in the mirror used by
> suppling a list that only contained pointers to the malicious mirror.
>
> Mikkel
> -- 
>
>   Do not meddle in the affairs of dragons,
> for thou art crunchy and taste good with Ketchup!
>
> -- 
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

More information about the fedora-list mailing list