Is YUM really a secure pacakage manager ?

Mikkel L. Ellertson mikkel at infinity-ltd.com
Tue Sep 1 14:03:47 UTC 2009


Akshay Wattal wrote:
>  Hi,
>  
>  Lately i did some research on security issues related to
>  differnt package managers including YUM and found out that
>  there can be some vulnerabilities in YUM. So far YUM checks
>  the signature which is on each individual package,In this
>  model, the package manager has no signatures to check until
>  it gets to the point where it downloads the actual packages
>  it intends to install.
>  Keeping this in mind the vulnerabilities that are possible
>  are as follows:
>  
>  ---->Metadata Manipulation Attack:  The attack in
>  this case involves a malicious party responding to a package
>  manager’s request by making their own metadata, There are
>  two main things attackers can do First, they can
>  mix-and-match the versions of packages that are listed.
>  Second, they can trick clients into thinking that packages
>  have different dependencies and provide different
>  functionality than they really do.
>  In mixing-and-matching vulnerable package versions by
>  listing them in the same metadata given to a client,
>  attackers make it more likely that, whatever new package a
>  client installs, it is installing a version with a known
>  vulnerability.
>  
I am not sure, but I think that Yum gets it dependencies from the
RPM headers, not the metadata. Also, the version number of a package
is in the RPM headers. It does not use the file name to determine
the version. So an older version of the package would not be
installed. If you mess with the headers to change the version
number, the signature would not match.

>  ---->Freeze Attack: In this an attacker can keep giving
>  the client a single version of the metadata starting at one
>  point in time (that is, “freezing” the metadata), the
>  attacker can prevent the client from knowing about new
>  metadata and thus new packages that are available that fix
>  known vulnerabilities.
>  
This only works if Yum uses the same mirror all the time. This is
not the case by default.

>  ---->Endless data Attack: It involves a malicious party
>  responding to a client request, be it for metadata or for a
>  package, with an endless stream of data. The possible
>  effects include filling up the partition where the package
>  manager saves downloaded files or exhausting memory.
>  
>  
>  These are few "possible" vulnerabilities which can be found
>  in YUM.
>  
>  Thanks 
>  
Well, for any of these to work, the attacker has to first get on the
mirror list, or crack an existing mirror. Getting on the mirror list
would probably be easier..

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090901/647c6199/attachment-0001.sig>


More information about the fedora-list mailing list