| 1 |
Mansour Moufid wrote: |
| 2 |
> An attacker would need to be able to manipulate both the rsync server |
| 3 |
> and the actual downloaded packages since Portage verifies checksums |
| 4 |
> (RMD160, SHA1, SHA256, size). This is possible, as you mentioned, |
| 5 |
> using DNS spoofing. |
| 6 |
> |
| 7 |
|
| 8 |
I don't think this is exactly true, since when I do a emerge --rsync I |
| 9 |
also get patches, which can get applied. It could also download a |
| 10 |
different package without a second DNS spoof. Someone could change what |
| 11 |
it is trying to download (SRC_URI), it fails to find it in the package |
| 12 |
mirrors and downloads the package from a malicious site. |
| 13 |
|
| 14 |
|
| 15 |
Russell Valentine |
| 16 |
-- |
| 17 |
gentoo-security@l.g.o mailing list |
Archives