How secure is Preupgrade? Answer: Not.

max maximilianbianco at gmail.com
Wed May 21 04:05:12 UTC 2008 

Björn Persson wrote:
> I went ahead and read the code. I found out that the kernel and ramdisk images 
> in /boot/upgrade are *not* extracted from any PGP-signed package. They are 
> downloaded one by one, apparently from one of the mirrors 
> in "installmirrorlist".
> 
> I also found these comments:
> 
>         # FIXME - check the packages? Durrrrrrrrrrrr
> 
> # TODO: gpgcheck downloaded pkgs
> 
>                 # File exists and it's the right size.. guess it's probably OK
>                 # We should be doing some integrity checks but we don't have
>                 # anything to check it against - la la la la
> 
> The last one talks about the kernel and ramdisk images.
> 
> So no check is performed on the installer kernel before it's booted, no check 
> is performed on the installer's root filesystem before the programs therein 
> are executed, and the packages aren't checked either – at least not while the 
> trusted, already installed OS still has control.
> 
> I've got my answer: Preupgrade is not secure. I'll continue upgrading the way 
> I've done it before – either with Yum or from a DVD image on a USB stick.
> 
> Rahul Sundaram wrote:
>> gpg check is during the installation/upgrade phase.
> 
> That would be OK if the installer itself were checked before it's booted, but 
> since the installer is completely unchecked it can't be trusted to check 
> anything.
> 
>>> That still leaves the files in /boot/upgrade, which contain executable
>>> code but which are not RPM packages. Did they come out of an RPM package
>>> whose signature was checked?
>> They are.
> 
> As I wrote above, that turns out not to be the case.
> 
>> Yes but more questions about internal details on how it all works can be
>> either posted to fedora-devel list or anaconda-devel list. There might
>> be things folks have missed in the process.
> 
> The comments in the code show that the authors already know they "missed" all 
> the signature checking.
> 
> Björn Persson
> 
Well considering that i just did an upgrade to my x86_64 using 
preupgrade this is bad news indeed but at least you though to ask the 
question. Thanks!! We should avoid taking things for granted especially 
when we the resources to verify are available. AHHHH the sweet smell of 
open source. I am willing to be a guinea pig if one is needed because: 
1. a useful tool is hard to find  2. it worked well for me (I haven't 
noticed any glitches that everyone else isn't having) 3. We should at no 
time sacrifice our security in the name of getting it done on time

However I am starting to get steamed so I will let this go right here 
besides which i have to blow away a completely usable install now. Boy, 
am i glad i used the preupgrade tool. Someone please tell me its April 1 
, tell me Bjorn is wrong or i am dyslexic....

-- 
On the eighth day he said "There shall be no rest for the weary."

On the ninth day he farted, and it smelled like sulphur.

More information about the fedora-list mailing list