Gentoo Archives: gentoo-security

From: Russell Valentine <russ@×××××××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Portage rsync security
Date: Thu, 20 Mar 2008 13:37:07
In Reply to: Re: [gentoo-security] Portage rsync security by Mansour Moufid
Mansour Moufid wrote:
> An attacker would need to be able to manipulate both the rsync server > and the actual downloaded packages since Portage verifies checksums > (RMD160, SHA1, SHA256, size). This is possible, as you mentioned, > using DNS spoofing. >
I don't think this is exactly true, since when I do a emerge --rsync I also get patches, which can get applied. It could also download a different package without a second DNS spoof. Someone could change what it is trying to download (SRC_URI), it fails to find it in the package mirrors and downloads the package from a malicious site. Russell Valentine -- gentoo-security@l.g.o mailing list


Subject Author
Re: [gentoo-security] Portage rsync security Raphael Marichez <falco@g.o>