Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 3042 - Missing Installing Security against System compromise
Summary: Missing Installing Security against System compromise
Status: RESOLVED DUPLICATE of bug 6356
Alias: None
Product: Portage Development
Classification: Unclassified
Component: Core (show other bugs)
Hardware: All Linux
: High major
Assignee: Daniel Robbins (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2002-05-26 07:16 UTC by Martin
Modified: 2011-10-30 22:36 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Martin 2002-05-26 07:16:10 UTC 
If I would re-route a rsync request to my "evil" server (e.g. by manipulating a
DNS-server), pretending a new portage (with new checksums) is available, and
then also redirecting the emerge requests to my "evil" server, I could rather
easy compromise gentoos integrity. This would just be another "man in the
middle"-attack I guess.

I don't see it that necessary to encrypt rsync or emerge (the only information
one could get from that is what I have installed on my system - though this
might be a security-concern as well, since someone might find out that I have
not applied a security patch) but hijacking portage gives access to the whole
updating structure, modified packages could be installed without noticing anything.

I suggest rsync/portage should be given some kind of signature in a way it is
(rather) sure that I will only install the _real_ gentoo packages. I'm sorry not
being a good coder so that I could give explicit suggestions how such a
signature could be verified.
Comment 1 SpanKY gentoo-dev 2002-09-14 23:42:48 UTC 

*** This bug has been marked as a duplicate of 6356 ***