509338 – preupgrade does not securely verify update information, installer images and probably packages or warn about this

Bug 509338 - preupgrade does not securely verify update information, installer images and probably packages or warn about this

Summary: preupgrade does not securely verify update information, installer images and ...

Keywords:
Status:	CLOSED DUPLICATE of bug 998
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	preupgrade
Sub Component:
Version:	10
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Seth Vidal
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-07-02 10:17 UTC by Till Maas
Modified:	2014-01-21 23:10 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-07-02 14:42:53 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Till Maas 2009-07-02 10:17:09 UTC

Description of problem:
preupgrade does not verify, whether the executed and installed code is really from Fedora or warn that it does not check this.

The generic update informatin seems to be downloaded without any verification, e.g. SSL:
http://mirrors.fedoraproject.org/releases.txt

The kernel / installation images are not verified afaics. Afaik there is currently also no easy way to do this, except to download the iso, verify it and use the installation images (vmlinuz, initrd.img, install.img) from there.

According to a comment in one source file, the downloaded packages are not gpg checked:

preupgrade/__init__.py
| # TODO: gpgcheck downloaded pkgs

All this seems not to be publicly announced, e.g. the preupgrade GUI does not warn that one is going to do something very insecure and the README file does not mention this, too.


Version-Release number of selected component (if applicable):
preupgrade-1.1.0-1.fc10

Comment 1 Will Woods 2009-07-02 14:42:53 UTC

Preupgrade verifies the checksum of the downloaded kernel/initrd/installer runtime; it's up to anaconda to check the checksums of the packages.

*** This bug has been marked as a duplicate of bug 998 ***

Comment 2 Till Maas 2009-07-02 15:05:25 UTC

(In reply to comment #1)
> Preupgrade verifies the checksum of the downloaded kernel/initrd/installer
> runtime; it's up to anaconda to check the checksums of the packages.

If you mean that it checks that the checksums within the .treeinfo file match the checksums of the kernel/initrd/installer runtime, then you are right. But how does preupgrade verify that the checksums in the .treeinfo file are trustworthy? I do not see any trace in the code that shows that the file is verified.

Comment 3 Till Maas 2009-07-02 15:42:02 UTC

(In reply to comment #1)
> Preupgrade verifies the checksum of the downloaded kernel/initrd/installer
> runtime; it's up to anaconda to check the checksums of the packages.

Some more additions:
You did not respond about releases.txt not being verified and also it is not 100% clear that anaconda should gpg-verify the packages in case they are coming from a trusted source like verified disk images. In the case of an installation from a harddisk, it is not so clear, because if the packages are copied from the verified iso image, then there is no problem. But if someone got the packages from a mirror, they should be checked. Btw. nevertheless preupgrade needs to provide the necessary and verified gpg keys to anaconda. Currently it does not look like anaconda has any access to these keys, because preupgrade does not fetch them.

Note You need to log in before you can comment on or make changes to this bug.