Bug 509338 - preupgrade does not securely verify update information, installer images and probably packages or warn about this
preupgrade does not securely verify update information, installer images and ...
Status: CLOSED DUPLICATE of bug 998
Product: Fedora
Classification: Fedora
Component: preupgrade (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Seth Vidal
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-02 06:17 EDT by Till Maas
Modified: 2014-01-21 18:10 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-07-02 10:42:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Till Maas 2009-07-02 06:17:09 EDT
Description of problem:
preupgrade does not verify, whether the executed and installed code is really from Fedora or warn that it does not check this.

The generic update informatin seems to be downloaded without any verification, e.g. SSL:
http://mirrors.fedoraproject.org/releases.txt

The kernel / installation images are not verified afaics. Afaik there is currently also no easy way to do this, except to download the iso, verify it and use the installation images (vmlinuz, initrd.img, install.img) from there.

According to a comment in one source file, the downloaded packages are not gpg checked:

preupgrade/__init__.py
| # TODO: gpgcheck downloaded pkgs

All this seems not to be publicly announced, e.g. the preupgrade GUI does not warn that one is going to do something very insecure and the README file does not mention this, too.


Version-Release number of selected component (if applicable):
preupgrade-1.1.0-1.fc10
Comment 1 Will Woods 2009-07-02 10:42:53 EDT
Preupgrade verifies the checksum of the downloaded kernel/initrd/installer runtime; it's up to anaconda to check the checksums of the packages.

*** This bug has been marked as a duplicate of bug 998 ***
Comment 2 Till Maas 2009-07-02 11:05:25 EDT
(In reply to comment #1)
> Preupgrade verifies the checksum of the downloaded kernel/initrd/installer
> runtime; it's up to anaconda to check the checksums of the packages.

If you mean that it checks that the checksums within the .treeinfo file match the checksums of the kernel/initrd/installer runtime, then you are right. But how does preupgrade verify that the checksums in the .treeinfo file are trustworthy? I do not see any trace in the code that shows that the file is verified.
Comment 3 Till Maas 2009-07-02 11:42:02 EDT
(In reply to comment #1)
> Preupgrade verifies the checksum of the downloaded kernel/initrd/installer
> runtime; it's up to anaconda to check the checksums of the packages.

Some more additions:
You did not respond about releases.txt not being verified and also it is not 100% clear that anaconda should gpg-verify the packages in case they are coming from a trusted source like verified disk images. In the case of an installation from a harddisk, it is not so clear, because if the packages are copied from the verified iso image, then there is no problem. But if someone got the packages from a mirror, they should be checked. Btw. nevertheless preupgrade needs to provide the necessary and verified gpg keys to anaconda. Currently it does not look like anaconda has any access to these keys, because preupgrade does not fetch them.

Note You need to log in before you can comment on or make changes to this bug.