Gentoo Archives: gentoo-security

From: Russell Valentine <russ@×××××××××××××.org>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Portage rsync security
Date: Thu, 20 Mar 2008 13:37:07
In Reply to: Re: [gentoo-security] Portage rsync security by Mansour Moufid
1 Mansour Moufid wrote:
2 > An attacker would need to be able to manipulate both the rsync server
3 > and the actual downloaded packages since Portage verifies checksums
4 > (RMD160, SHA1, SHA256, size). This is possible, as you mentioned,
5 > using DNS spoofing.
6 >
8 I don't think this is exactly true, since when I do a emerge --rsync I
9 also get patches, which can get applied. It could also download a
10 different package without a second DNS spoof. Someone could change what
11 it is trying to download (SRC_URI), it fails to find it in the package
12 mirrors and downloads the package from a malicious site.
15 Russell Valentine
16 --
17 gentoo-security@l.g.o mailing list


Subject Author
Re: [gentoo-security] Portage rsync security Raphael Marichez <falco@g.o>