Gentoo Logo

About | Projects | Docs | Forums | Lists | Bugs | Get Gentoo! | Support | Planet | Wiki

Gentoo Spaceship
Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: will.richey@...
Subject: Re: Thoughts on Package Security
Date: Wed, 18 Feb 2004 10:51:35 -0700 
On Wed, Feb 18, 2004 at 02:13:37AM -0500, Ed Grimm wrote:
> 
> And how do you know the published hash?  Are there not entities in the
> datastream that could alter both the file you download and the MD5 that
> you download?  Especially if, as I think I've seen, emerge gets the MD5
> hash from the same source as it gets the source packages.  However, even
> in the case of multiple mirrors, either the primary FTP server could've
> been cracked, or the datastream could be hijacked at the local ISP,
> inserting an altered datasream for each file.

I don't think _your_ portage gets the MD5 and package from the same source.
I don't know how the MD5 gets into the ebuild (see my last paragraph),
but I think the MD5 that gets used when you execute emerge -u xyzzy is
not collected at the same time as the source package.

I thought portage worked like this:

emerge sync:
 - get some sort of pointer to other sites from master site
 - rsync portage tree from the pointed site
now, portage tree contains info about builds AND MD5 HASHES

emerge -u xyzzy:
 - get source package from actual distributor, NOT GENTOO
 - compare MD5 of that to MD5 hash in portage tree
 - continue ebuild

So, the MD5 hash in the portage tree comes from a different server
than the source package.  So, the determined attacker would have to
control considerable more than one site.  If our hero doesn't
perform the sync and update close together in time, then the attacker
has to control the external network for a long time as well.


I have a separate concern.  I haven't read enough to know the
process by which ebuilds get committed to the portage tree.
If the submitter of the ebuild downloads the source and generates
the MD5 hash from the package, then all an attacker has to do
to compromise all gentoo distributions that use the package is
to control the distribution site from the time when the ebuild
is created until the desired number of sites are affected.  For things 
like the gnu sources (for example), there are enough mirrors that 
an ebuild submitter could get the source from a few different mirrors, 
verify that they are all hash identical (or better yet binary 
identical), then add that hash to the ebuild.  For smaller, non-
mirrored packages the trust model is shakier.  Does anyone know 
the process by which ebuilds are committed?

-wmr-

--
gentoo-security@g.o mailing list
Replies:
Re: Thoughts on Package Security
-- Russell Valentine
Re: Thoughts on Package Security
-- Torsten Veller
References:
Thoughts on Package Security
-- Brian Klauss
Re: Thoughts on Package Security
-- guerrilla_thought
Re: Thoughts on Package Security
-- Heikki Levanto
Re: Thoughts on Package Security
-- Brian Klauss
Re: Thoughts on Package Security
-- Ed Grimm
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Thoughts on Package Security
Next by thread:
Re: Thoughts on Package Security
Previous by date:
Re: Security concerns and portage versioning
Next by date:
Re: Security concerns and portage versioning


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.