Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Raphael Marichez <falco@g.o>
Subject: Re: Portage rsync security
Date: Mon, 14 Apr 2008 18:34:03 +0200
On Thu, 20 Mar 2008, Russell Valentine wrote:

> Mansour Moufid wrote:
>> An attacker would need to be able to manipulate both the rsync server
>> and the actual downloaded packages since Portage verifies checksums
>> (RMD160, SHA1, SHA256, size). This is possible, as you mentioned,
>> using DNS spoofing.
>
> I don't think this is exactly true, since when I do a emerge --rsync I also 
> get patches, which can get applied. It could also download a different 
> package without a second DNS spoof. Someone could change what it is trying 
> to download (SRC_URI), it fails to find it in the package mirrors and 
> downloads the package from a malicious site.
>

Hi all,

indeed the patches are MD5-checked against the Manifest files in the
portage tree itself, so i can't assure any integrity on the patches that
rely in the portage tree, in the case my rsync server is compromised or
spoofed.

There is no point in enforcing cryptography on the transport layer,
since this would prevent from making one's own local mirror like
described in :
http://www.gentoo.org/doc/en/rsync.xml#doc_chap2

Since the Gentoo main rsync mirrors list will change sometimes, it's
also difficult (but still feasible) to maintain a secured transport with
each of the main mirrors, with /etc/hosts, netfilter, or whatever that
is IP-based. And that does not protect from the remote server
compromise.

The integrity check is currently being implemented at the data level,
not the host level, through the way of GPG signatures of Manifest files:
http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6

As for today, 2483 Manifest files are signed, and 10065 are not.
Obviously, the most used packages are often those which are signed.
You also have to manually download the GPG public keys and trust them if
you want.

-- 
Raphael Marichez aka Falco
Gentoo Linux Security Team
Attachment:
pgpkDh2P40xiX.pgp (PGP signature)
References:
Portage rsync security
-- Florian Philipp
Re: Portage rsync security
-- Mansour Moufid
Re: Portage rsync security
-- Russell Valentine
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Portage rsync security
Next by thread:
Re: Portage rsync security
Previous by date:
Re: Prince, Samuel is out of the office.
Next by date:
ssl weak key generation (supposed to effect only debian)


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.