Gentoo Archives: gentoo-security

From: Raphael Marichez <falco@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Portage rsync security
Date: Mon, 14 Apr 2008 16:34:54
Message-Id: 20080414163403.GA1036@falco.falcal.net
In Reply to: Re: [gentoo-security] Portage rsync security by Russell Valentine
On Thu, 20 Mar 2008, Russell Valentine wrote:

> Mansour Moufid wrote: >> An attacker would need to be able to manipulate both the rsync server >> and the actual downloaded packages since Portage verifies checksums >> (RMD160, SHA1, SHA256, size). This is possible, as you mentioned, >> using DNS spoofing. > > I don't think this is exactly true, since when I do a emerge --rsync I also > get patches, which can get applied. It could also download a different > package without a second DNS spoof. Someone could change what it is trying > to download (SRC_URI), it fails to find it in the package mirrors and > downloads the package from a malicious site. >
Hi all, indeed the patches are MD5-checked against the Manifest files in the portage tree itself, so i can't assure any integrity on the patches that rely in the portage tree, in the case my rsync server is compromised or spoofed. There is no point in enforcing cryptography on the transport layer, since this would prevent from making one's own local mirror like described in : http://www.gentoo.org/doc/en/rsync.xml#doc_chap2 Since the Gentoo main rsync mirrors list will change sometimes, it's also difficult (but still feasible) to maintain a secured transport with each of the main mirrors, with /etc/hosts, netfilter, or whatever that is IP-based. And that does not protect from the remote server compromise. The integrity check is currently being implemented at the data level, not the host level, through the way of GPG signatures of Manifest files: http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6 As for today, 2483 Manifest files are signed, and 10065 are not. Obviously, the most used packages are often those which are signed. You also have to manually download the GPG public keys and trust them if you want. -- Raphael Marichez aka Falco Gentoo Linux Security Team