Bug 171530 - security: Maelstrom RPM unsigned, DoS's up2date
Summary: security: Maelstrom RPM unsigned, DoS's up2date
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: Maelstrom
Version: 4
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Karsten Hopp
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-10-22 13:07 UTC by Graham Leggett
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2005-10-23 14:15:38 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Graham Leggett 2005-10-22 13:07:41 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

Description of problem:
The current mirrored copy of the Maelstrom RPM for i386 for Fedora Core 4 is unsigned, and thus up2date bombs out when attempting to update this file.

This DoS's the up2date system until Maelstrom is removed.



Version-Release number of selected component (if applicable):
Maelstrom (standard version as shipped on FC4 DVD)

How reproducible:
Always

Steps to Reproduce:
xxx

Additional info:

Comment 1 Andre Robatino 2005-10-23 01:29:17 UTC
  You may not have the Fedora Extras GPG key installed.  If this is the case,
up2date will falsely claim that the file is unsigned, when the only problem is
that the corresponding key is not installed.  To make sure, go into
/etc/pki/rpm-gpg and install the GPG key (as root) with

rpm --install RPM-GPG-KEY-fedora-extras

  I have Maelstrom installed and didn't have this problem when installing.  In
addition I just verified that

http://download.fedora.redhat.com/pub/fedora/linux/extras/4/i386/Maelstrom-3.0.6-8.i386.rpm

is properly signed with key 1ac70ce6.

Comment 2 Graham Leggett 2005-10-23 12:07:33 UTC
I tried to install the key (no idea why on earth the Fedora Core 4 upgrade
process doesn't install it, but regardless) and the install attempt hangs for no
apparent reason:

[root@phoebe rpm-gpg]# rpm --install RPM-GPG-KEY-fedora-extras
^C

[root@phoebe rpm-gpg]#


Comment 3 Graham Leggett 2005-10-23 14:15:38 UTC
Just figured it out - it was rpm --import instead of --install.

Closing this bug, as the problem is with the FC4 setup and not Maelstrom.


Note You need to log in before you can comment on or make changes to this bug.