Bug 135813 - mirrorlists are not gpg signed
mirrorlists are not gpg signed
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: yum (Show other bugs)
rawhide
i386 Linux
medium Severity low
: ---
: ---
Assigned To: Jeremy Katz
impact=low,public=20041015
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-15 04:20 EDT by Christopher Stone
Modified: 2014-01-21 17:50 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-19 15:57:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Christopher Stone 2004-10-15 04:20:13 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041012
Firefox/0.10.1

Description of problem:
Hackers can change mirror lists without any gpg checking and enter my
box by installing trojan horses.

Version-Release number of selected component (if applicable):
yum-2.1.7-2

How reproducible:
Always

Steps to Reproduce:
1.  Hack into fedora.redhat.com
2.  Change mirror list to evil url with trojan horses installed
3.  Wait for unsuspecting souls to download your trojan horses
4.  Become the l33t h4x0r
    

Actual Results:  Your box is broken into.

Expected Results:  mirror lists should be GPG signed.

Additional info:
Comment 1 Barry K. Nathan 2004-10-18 00:40:08 EDT
FWIW, the evil hackers will also need to sign their packages with Red
Hat's GPG keys (or other widely used GPG keys) in order for it to
succeed -- at least, if you leave GPG signature checking of packages
enabled. So, I'm not sure this is as serious as you suggest. (It would
still be a good thing to improve though.)
Comment 2 Christopher Stone 2004-10-18 00:45:45 EDT
Yes, unfortunately, the default yum.conf from Fedora does not have
gpgcheck turned on.
Comment 3 Seth Vidal 2004-10-18 00:54:02 EDT
Not in Rawhide b/c the packages in rawhide are not signed.

However, i am hoping for gpgcheck=1 to be the default for FC3 yum.conf.
Comment 4 Warren Togami 2004-10-20 22:10:36 EDT
Bringing this forward as a reminder.  If it isn't possible then please
remove "blocker".
Comment 5 Seth Vidal 2004-10-20 22:25:01 EDT
removing as a blocker. No way to get those code written and tested in
that short of a time.

all packages are gpgsigned - the mirrorlists shouldn't be a problem by
themselves.

Note You need to log in before you can comment on or make changes to this bug.