Bug 135813 - mirrorlists are not gpg signed
Summary: mirrorlists are not gpg signed
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: yum
Version: rawhide
Hardware: i386
OS: Linux
medium
low
Target Milestone: ---
Assignee: Jeremy Katz
QA Contact:
URL:
Whiteboard: impact=low,public=20041015
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-10-15 08:20 UTC by Christopher Stone
Modified: 2014-01-21 22:50 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2006-04-19 19:57:27 UTC


Attachments (Terms of Use)

Description Christopher Stone 2004-10-15 08:20:13 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041012
Firefox/0.10.1

Description of problem:
Hackers can change mirror lists without any gpg checking and enter my
box by installing trojan horses.

Version-Release number of selected component (if applicable):
yum-2.1.7-2

How reproducible:
Always

Steps to Reproduce:
1.  Hack into fedora.redhat.com
2.  Change mirror list to evil url with trojan horses installed
3.  Wait for unsuspecting souls to download your trojan horses
4.  Become the l33t h4x0r
    

Actual Results:  Your box is broken into.

Expected Results:  mirror lists should be GPG signed.

Additional info:

Comment 1 Barry K. Nathan 2004-10-18 04:40:08 UTC
FWIW, the evil hackers will also need to sign their packages with Red
Hat's GPG keys (or other widely used GPG keys) in order for it to
succeed -- at least, if you leave GPG signature checking of packages
enabled. So, I'm not sure this is as serious as you suggest. (It would
still be a good thing to improve though.)

Comment 2 Christopher Stone 2004-10-18 04:45:45 UTC
Yes, unfortunately, the default yum.conf from Fedora does not have
gpgcheck turned on.

Comment 3 Seth Vidal 2004-10-18 04:54:02 UTC
Not in Rawhide b/c the packages in rawhide are not signed.

However, i am hoping for gpgcheck=1 to be the default for FC3 yum.conf.


Comment 4 Warren Togami 2004-10-21 02:10:36 UTC
Bringing this forward as a reminder.  If it isn't possible then please
remove "blocker".

Comment 5 Seth Vidal 2004-10-21 02:25:01 UTC
removing as a blocker. No way to get those code written and tested in
that short of a time.

all packages are gpgsigned - the mirrorlists shouldn't be a problem by
themselves.



Note You need to log in before you can comment on or make changes to this bug.