Return-Path: <sentto-279987-3336-1003884880-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Tue, 23 Oct 2001 17:57:08 -0700 (PDT) Received: (qmail 13463 invoked by uid 510); 24 Oct 2001 00:54:09 -0000 Received: from n25.groups.yahoo.com (216.115.96.75) by 204.181.12.215 with SMTP; 24 Oct 2001 00:54:09 -0000 X-eGroups-Return: sentto-279987-3336-1003884880-fc=all.net@returns.onelist.com Received: from [10.1.4.52] by n25.groups.yahoo.com with NNFMP; 24 Oct 2001 00:54:38 -0000 X-Sender: brian@pc-radio.com X-Apparently-To: iwar@yahoogroups.com Received: (EGP: mail-8_0_0_1); 24 Oct 2001 00:54:40 -0000 Received: (qmail 22969 invoked from network); 24 Oct 2001 00:54:39 -0000 Received: from unknown (10.1.10.142) by m8.onelist.org with QMQP; 24 Oct 2001 00:54:39 -0000 Received: from unknown (HELO chmls05.mediaone.net) (24.147.1.143) by mta3 with SMTP; 24 Oct 2001 00:54:39 -0000 Received: from 79p8e.pc-radio.com (unknown1.ne.mediaone.net [66.30.97.150]) by chmls05.mediaone.net (8.11.1/8.11.1) with ESMTP id f9O0sYr12394 for <iwar@yahoogroups.com>; Tue, 23 Oct 2001 20:54:34 -0400 (EDT) Message-Id: <5.1.0.14.2.20011023205304.026f8060@mail-dnh.mv.net> X-Nil: To: iwar@yahoogroups.com In-Reply-To: <200110240021.f9O0L0j29177@red.all.net> From: Brian McWilliams <brian@pc-radio.com> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Tue, 23 Oct 2001 20:54:34 -0400 Reply-To: iwar@yahoogroups.com Subject: Re: [iwar] [fc:Red.Hat.7.2.GnuPG.signed.RPM.verification.fails.on.distribution.fil es] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Red Hat claims this is not a big deal: http://www.newsbytes.com/news/01/171431.html But Seifried has just published a rebuttal that says it could be: http://www.seifried.org/security/articles/20011023-devil-in-details.html Brian At 08:21 PM 10/23/01, you wrote: >Kurt Seifried Security Advisory 002 (KSSA-002) ><a >href="http://www.seifried.org/security/advisories/kssa-002.html">http://www.seifried.org/security/advisories/kssa-002.html> > > > >By Kurt Seifried, <a >href="mailto:kurt@seifried.org?Subject=Re:%20Red%20Hat%207.2%20GnuPG%20signed%20RPM%20verification%20fails%20on%20distribution%20files%2526In-Reply-To=%2526lt;002601c15ba3$972a1940$6400030a@seifried.org">kurt@seifried.org</a> >- ---------------------------------------------------------------------- >- ---------- > >Title: >Red Hat 7.2 GnuPG signed RPM verification fails on distribution files > >Issue date: >Oct 23, 2001 > >History of advisory: >Oct 23, 2001 While downloading Red Hat 7.2 Kurt Seifried noticed >various packages were not GnuPG signed. > >Author: >Kurt Seifried <a >href="mailto:kurt@seifried.org?Subject=Re:%20Red%20Hat%207.2%20GnuPG%20signed%20RPM%20verification%20fails%20on%20distribution%20files%2526In-Reply-To=%2526lt;002601c15ba3$972a1940$6400030a@seifried.org">kurt@seifried.org</a> > > > >Credits: >N/A > >Overview: >Red Hat 7.2 distribution files on popular ftp sites such as >ftp.ibiblio.org and mirrors.hpcf.upr.edu are not signed. It is >unlikely that this is an attack as the number of sites involved makes >it likely someone would have noticed and notified the community. >Either Red Hat did not sign these packages, or someone subverted the >distribution process before the files got to various sites. For Red >Hat 7.1 please note that all files were correctly signed with the Red >Hat GnuPG security key. > >Vendor Contact: ><a >href="mailto:security@redhat.com?Subject=Re:%20Red%20Hat%207.2%20GnuPG%20signed%20RPM%20verification%20fails%20on%20distribution%20files%2526In-Reply-To=%2526lt;002601c15ba3$972a1940$6400030a@seifried.org">security@redhat.com</a> > >Impact: >An attacker can create RPM's that will not appear any different from >the real ones, as they do not need to be signed. Finding the MD5 sums >of the files in trusted locations is very difficult (I cannot find >any lists). > >Details: >Red Hat has released Red Hat 7.2, a much anticipated release. >Typically all the rpm distribution files are signed, making it very >easy to verify their correctness. Since numerous packages are not >signed it becomes trivial for an attacker to replace packages on a >distribution site with no-one being able to easily verify that they >have been subverted. An attacker would not even need to modify or add >files to the package, instead they could add a preinstall, >postinstall, preuninstall or postuninstall script that would be >capable of compromising the system since these scripts run with root >privileges. Packages include rpmdb-redhat and redhat-release. > >Solutions and workarounds: >None available. Red Hat needs to sign the packages properly with >GnuPG. > >References: >N/A > >- ---------------------------------------------------------------------- >- ---------- > >Permission is granted for copying and circulating this Bulletin to >the Internet community for the purpose of alerting them to problems, >if and only if, the bulletin is not edited or changed in any way, is >attributed to Kurt Seifried, and provided such reproduction and/or >distribution is performed for non-commercial purposes. > >Any other use of this information is prohibited. Kurt Seifried is not >liable for any misuse of this information by any third party. > >- ---------------------------------------------------------------------- >- ---------- > >Back > >Last updated 10/23/2001 > >Copyright Kurt Seifried 2001 > >Kurt Seifried, <a >href="mailto:kurt@seifried.org?Subject=Re:%20Red%20Hat%207.2%20GnuPG%20signed%20RPM%20verification%20fails%20on%20distribution%20files%2526In-Reply-To=%2526lt;002601c15ba3$972a1940$6400030a@seifried.org">kurt@seifried.org</a> >A15B BEE5 B391 B9AD B0EF >AEB0 AD63 0B4E AD56 E574 ><a >href="http://www.seifried.org/security/">http://www.seifried.org/security/> > > >------------------ >http://all.net/ > >Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ ------------------------ Yahoo! Groups Sponsor ---------------------~--> Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more! http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:56 PST