| 1 |
On Thu, 20 Mar 2008, Russell Valentine wrote: |
| 2 |
|
| 3 |
> Mansour Moufid wrote: |
| 4 |
>> An attacker would need to be able to manipulate both the rsync server |
| 5 |
>> and the actual downloaded packages since Portage verifies checksums |
| 6 |
>> (RMD160, SHA1, SHA256, size). This is possible, as you mentioned, |
| 7 |
>> using DNS spoofing. |
| 8 |
> |
| 9 |
> I don't think this is exactly true, since when I do a emerge --rsync I also |
| 10 |
> get patches, which can get applied. It could also download a different |
| 11 |
> package without a second DNS spoof. Someone could change what it is trying |
| 12 |
> to download (SRC_URI), it fails to find it in the package mirrors and |
| 13 |
> downloads the package from a malicious site. |
| 14 |
> |
| 15 |
|
| 16 |
Hi all, |
| 17 |
|
| 18 |
indeed the patches are MD5-checked against the Manifest files in the |
| 19 |
portage tree itself, so i can't assure any integrity on the patches that |
| 20 |
rely in the portage tree, in the case my rsync server is compromised or |
| 21 |
spoofed. |
| 22 |
|
| 23 |
There is no point in enforcing cryptography on the transport layer, |
| 24 |
since this would prevent from making one's own local mirror like |
| 25 |
described in : |
| 26 |
http://www.gentoo.org/doc/en/rsync.xml#doc_chap2 |
| 27 |
|
| 28 |
Since the Gentoo main rsync mirrors list will change sometimes, it's |
| 29 |
also difficult (but still feasible) to maintain a secured transport with |
| 30 |
each of the main mirrors, with /etc/hosts, netfilter, or whatever that |
| 31 |
is IP-based. And that does not protect from the remote server |
| 32 |
compromise. |
| 33 |
|
| 34 |
The integrity check is currently being implemented at the data level, |
| 35 |
not the host level, through the way of GPG signatures of Manifest files: |
| 36 |
http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=6 |
| 37 |
|
| 38 |
As for today, 2483 Manifest files are signed, and 10065 are not. |
| 39 |
Obviously, the most used packages are often those which are signed. |
| 40 |
You also have to manually download the GPG public keys and trust them if |
| 41 |
you want. |
| 42 |
|
| 43 |
-- |
| 44 |
Raphael Marichez aka Falco |
| 45 |
Gentoo Linux Security Team |
Archives