Is YUM really a secure pacakage manager ?

Akshay Wattal akshay_wattal at yahoo.com
Mon Aug 31 18:06:51 UTC 2009


 Hi,
 
 Lately i did some research on security issues related to
 differnt package managers including YUM and found out that
 there can be some vulnerabilities in YUM. So far YUM checks
 the signature which is on each individual package,In this
 model, the package manager has no signatures to check until
 it gets to the point where it downloads the actual packages
 it intends to install.
 Keeping this in mind the vulnerabilities that are possible
 are as follows:
 
 ---->Metadata Manipulation Attack:  The attack in
 this case involves a malicious party responding to a package
 manager’s request by making their own metadata, There are
 two main things attackers can do First, they can
 mix-and-match the versions of packages that are listed.
 Second, they can trick clients into thinking that packages
 have different dependencies and provide different
 functionality than they really do.
 In mixing-and-matching vulnerable package versions by
 listing them in the same metadata given to a client,
 attackers make it more likely that, whatever new package a
 client installs, it is installing a version with a known
 vulnerability.
 
 ---->Freeze Attack: In this an attacker can keep giving
 the client a single version of the metadata starting at one
 point in time (that is, “freezing” the metadata), the
 attacker can prevent the client from knowing about new
 metadata and thus new packages that are available that fix
 known vulnerabilities.
 
 ---->Endless data Attack: It involves a malicious party
 responding to a client request, be it for metadata or for a
 package, with an endless stream of data. The possible
 effects include filling up the partition where the package
 manager saves downloaded files or exhausting memory.
 
 
 These are few "possible" vulnerabilities which can be found
 in YUM.
 
 Thanks 
 
 



      Get your new Email address!
Grab the Email name you've always wanted before someone else does!
http://mail.promotions.yahoo.com/newdomains/aa/




More information about the fedora-list mailing list