Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Russell Valentine <russ@...>
Subject: Re: Portage rsync security
Date: Thu, 20 Mar 2008 08:34:31 -0500
Mansour Moufid wrote:
> An attacker would need to be able to manipulate both the rsync server
> and the actual downloaded packages since Portage verifies checksums
> (RMD160, SHA1, SHA256, size). This is possible, as you mentioned,
> using DNS spoofing.
> 

I don't think this is exactly true, since when I do a emerge --rsync I 
also get patches, which can get applied. It could also download a 
different package without a second DNS spoof. Someone could change what 
it is trying to download (SRC_URI), it fails to find it in the package 
mirrors and downloads the package from a malicious site.


Russell Valentine
-- 
gentoo-security@g.o mailing list


Replies:
Re: Portage rsync security
-- Raphael Marichez
References:
Portage rsync security
-- Florian Philipp
Re: Portage rsync security
-- Mansour Moufid
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Portage rsync security
Next by thread:
Re: Portage rsync security
Previous by date:
Re: Portage rsync security
Next by date:
Re: Portage rsync security


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.