Serious security risks found in Linux package managers - Linux

This is a discussion on Serious security risks found in Linux package managers - Linux ; http://news.zdnet.co.uk/security/0,1...9446765,00.htm The software update mechanisms used by most BSD and Linux operating systems can be tricked into installing buggy or known-to-be-compromised software on users' systems, creating serious security risks, according to new research. The study Package Management Security, to be ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 31

Thread: Serious security risks found in Linux package managers

  1. Serious security risks found in Linux package managers



    http://news.zdnet.co.uk/security/0,1...9446765,00.htm


    The software update mechanisms used by most BSD and Linux operating systems
    can be tricked into installing buggy or known-to-be-compromised software on
    users' systems, creating serious security risks, according to new research.

    The study Package Management Security, to be published in a forthcoming
    issue of the University of Arizona Tech Report, analysed 10 package managers
    and found that all were vulnerable to exploits, allowing attackers to
    install unsafe software on target systems.




    ** Posted from http://www.teranews.com **

  2. Re: Serious security risks found in Linux package managers

    In comp.os.linux.advocacy, Ezekiel

    wrote
    on Mon, 14 Jul 2008 13:18:10 -0400
    <7f80b$487b8e9f$27823@news.teranews.com>:
    >
    >
    > http://news.zdnet.co.uk/security/0,1...9446765,00.htm
    >
    >
    > The software update mechanisms used by most BSD and Linux operating systems
    > can be tricked into installing buggy or known-to-be-compromised software on
    > users' systems, creating serious security risks, according to new research.
    >
    > The study Package Management Security, to be published in a forthcoming
    > issue of the University of Arizona Tech Report, analysed 10 package managers
    > and found that all were vulnerable to exploits, allowing attackers to
    > install unsafe software on target systems.
    >

    >
    >
    >
    > ** Posted from http://www.teranews.com **


    There are a fair number of issues in this report.

    [1] "automatically keeps software up-to-date". emerge is
    not automatic; one has to invoke it several times:

    emerge --sync
    emerge --fetchonly --update world (optional)
    emerge --update world
    vi /usr/portage/package.keywords/... (if necessary)

    One presumes other package managers, absent additional
    machinery (such as RedHat's little red button, which
    probably polls a server somewhere) behave in a similar
    manner.

    [2] Gentoo splits the tree and the code download functions.
    Basically, if one is compromised, the system becomes
    inconsistent, and emerge will most likely either not
    find the file it wants to download (and thence move to a
    different mirror, or even to give up if no mirror has that
    file -- this has happened on occasion, even without Gentoo
    being compromised), or download, as the report specifies,
    an older version and install it. The latter would require
    compromise of the Gentoo tree, and is theoretically possible.

    Since Gentoo uses rsync, I'm not sure how one might
    sign the file list.

    [3] Signature expiration means diddly-squit unless one
    updates the signature public keys more than about once
    a month. Gentoo updates/packages are very frequent
    (depending on package), and many of them are security
    patches; presumably other distros are similar. How one
    ensures that old public keys are properly revoked is an
    interesting question. How one ensures that one can get
    at the new keys after expiration of the old ones (or as a
    first-time user) may be an even more interesting question.

    It's a classic tradeoff: inconvenience versus
    vulnerability window length.

    Does Microsoft Windows Vista have any issues of this sort?
    Can we know?

    --
    #191, ewill3@earthlink.net
    Error 16: Not enough space on file system to delete file(s)
    ** Posted from http://www.teranews.com **

  3. Re: Serious security risks found in Linux package managers

    On Mon, 14 Jul 2008 22:38:31 +0200, Clogwog wrote:


    > Ha, ha LUnix that is?
    > http://www.encyclopediadramatica.com/Lunix
    >

  4. Re: Serious security risks found in Linux package managers

    On Jul 14, 10:18 am, "Ezekiel" wrote:
    > http://news.zdnet.co.uk/security/0,1...9446765,00.htm


    Despite the usual FUD from Microsoft propaganda agents
    ("Moshe Goldfarb" and "Clogwog" in this case) one is safe
    from these vulnerabilities if using the distro company's
    own update repository. And some fix for the problem will
    be implemented soon in any case.

    At least Linux users do get prompt security updates,
    unlike MS-Windows victims. I had a cable-TV service guy
    in here the other day -- technically knowledgeable --
    who looked at my Linux system -- KDE3 with 20 desktops --
    and was very impressed. He said he was sick and tired
    of constantly having his MS-Windows system attacked by
    viruses and other malware. He employs the usual
    antivirus software, but some of the attacks are still
    getting through.

    He's going to switch to Linux, and all the great free
    software that comes with it. The software of the
    world community!


  5. Re: Serious security risks found in Linux package managers

    Linonut wrote:



    Statistics you ****ing ass-hole when this ****ing NG flies in the face
    of statistics.

    Get the **** out of here with this.

  6. Re: Serious security risks found in Linux package managers

    * Breeder's Blues peremptorily fired off this memo:

    > Linonut wrote:
    >
    >
    >
    > Statistics you ****ing ass-hole when this ****ing NG flies in the face
    > of statistics.
    >
    > Get the **** out of here with this.


    (I just had to see that self-nuking gem again. What a funny person.)

    --


  7. Re: Serious security risks found in Linux package managers

    In article <1x736bkqwollg$.14llwl2t11x6s$.dlg@40tude.net>,
    Moshe Goldfarb. wrote:
    >
    >In essence it is also like a car with no stereo
    >or even tires so even if it could be hacked it would be pointless to do so.
    >As such, it is entirely useless. "
    >


    There's something terribly ironic about a Google user ranting about
    how utterly useless Linux is. Talk about byting the hand that feeds you...


  8. Re: Serious security risks found in Linux package managers

    Moshe Goldfarb. wrote:
    > On Mon, 14 Jul 2008 22:38:31 +0200, Clogwog wrote:
    >
    >
    >> Ha, ha LUnix that is?
    >> http://www.encyclopediadramatica.com/Lunix
    >>

  9. Re: Serious security risks found in Linux package managers

    Linonut wrote:
    > * Breeder's Blues peremptorily fired off this memo:
    >
    >> Linonut wrote:
    >>
    >>
    >>
    >> Statistics you ****ing ass-hole when this ****ing NG flies in the face
    >> of statistics.
    >>
    >> Get the **** out of here with this.

    >
    > (I just had to see that self-nuking gem again. What a funny person.)
    >


    Man, shut the **** up, because you have no comeback idiot.

  10. Re: Serious security risks found in Linux package managers

    On Mon, 14 Jul 2008 21:37:33 -0400, Linonut wrote:

    > * Breeder's Blues peremptorily fired off this memo:
    >
    >> Linonut wrote:
    >>
    >>
    >>
    >> Statistics you ****ing ass-hole when this ****ing NG flies in the face
    >> of statistics.
    >>
    >> Get the **** out of here with this.

    >
    > (I just had to see that self-nuking gem again. What a funny person.)


    The moronic 'earthlink' troll, according to your References header.

    --
    Is a M$ "Certificate of Authenticity"
    for Vista, a junk bond?

  11. Re: Serious security risks found in Linux package managers

    On Mon, 14 Jul 2008 16:22:37 -0700 (PDT), Mark S Bilk wrote:

    > On Jul 14, 10:18 am, "Ezekiel" wrote:
    >> http://news.zdnet.co.uk/security/0,1...9446765,00.htm

    >
    > Despite the usual FUD from Microsoft propaganda agents
    > ("Moshe Goldfarb" and "Clogwog" in this case) one is safe
    > from these vulnerabilities if using the distro company's
    > own update repository. And some fix for the problem will
    > be implemented soon in any case.


    Let's see:

    1. You call it FUD.
    2. You say it will be fixed soon....

    Try again, Bilk....

    > At least Linux users do get prompt security updates,
    > unlike MS-Windows victims.


    Huh?
    Ever hear of Windows Update?
    Fixes are released all the time, too much in fact IMHO.


    > I had a cable-TV service guy
    > in here the other day -- technically knowledgeable --
    > who looked at my Linux system --


    So did you get "serviced" Mark S. Bilk?

    > He's going to switch to Linux, and all the great free
    > software that comes with it. The software of the
    > world community!


    Sure, and the two of you are going live happily ever after, pro-create a
    family and die of old age...
    Well, two out of three anyway.
    One of the above is impossible.

    What a loon....


    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/

  12. Re: Serious security risks found in Linux package managers

    On Tue, 15 Jul 2008 08:47:14 +0100, Ian Thompson-Bell wrote:

    > Moshe Goldfarb. wrote:
    >> On Mon, 14 Jul 2008 22:38:31 +0200, Clogwog wrote:
    >>
    >>
    >>> Ha, ha LUnix that is?
    >>> http://www.encyclopediadramatica.com/Lunix
    >>>

  13. Re: Serious security risks found in Linux package managers

    Breeder's Blues <""Brreder\"@Blues .com"> wrote:

    >(snip)


    *plonk*


  14. Re: Serious security risks found in Linux package managers

    On Tue, 15 Jul 2008 09:58:11 -0400, Moshe Goldfarb. wrote:

    > On Tue, 15 Jul 2008 08:47:14 +0100, Ian Thompson-Bell wrote:
    >
    >> Moshe Goldfarb. wrote:
    >>> On Mon, 14 Jul 2008 22:38:31 +0200, Clogwog wrote:
    >>>
    >>>
    >>>> Ha, ha LUnix that is?
    >>>> http://www.encyclopediadramatica.com/Lunix

  15. Re: Serious security risks found in Linux package managers

    the wharf rat wrote:
    > In article <1x736bkqwollg$.14llwl2t11x6s$.dlg@40tude.net>,
    > Moshe Goldfarb. wrote:
    >>
    >> In essence it is also like a car with no stereo
    >> or even tires so even if it could be hacked it would be pointless to
    >> do so. As such, it is entirely useless. "
    >>

    >
    > There's something terribly ironic about a Google user ranting about
    > how utterly useless Linux is.


    "User-Agent: 40tude_Dialog/2.0.15.1"

    linux makes you stupid.



  16. Re: Serious security risks found in Linux package managers

    relic wrote:

    >linux makes you stupid.


    Oh well, back in you go...

    *plonk*


  17. Re: Serious security risks found in Linux package managers

    chrisv wrote:
    > relic wrote:
    >
    >> linux makes you stupid.

    >
    > Oh well, back in you go...
    >
    > *plonk*


    Now, that just hurts me deeply.



  18. Re: Serious security risks found in Linux package managers

    relic wrote:
    > chrisv wrote:
    >> relic wrote:
    >>
    >>> linux makes you stupid.

    >>
    >> Oh well, back in you go...
    >>
    >> *plonk*

    >
    > Now, that just hurts me deeply.


    Sorry, but I don't want to hear "linux makes you stupid" any more. I know
    it's true, but I'm trying to pretend...

    *plonk* ...again.



  19. Re: Serious security risks found in Linux package managers

    relic wrote:

    > chrisv wrote:
    >> relic wrote:
    >>
    >>> linux makes you stupid.

    >>
    >> Oh well, back in you go...
    >>
    >> *plonk*

    >
    > Now, that just hurts me deeply.


    Ah well. Snap out of it and empty your drool bucket.

    --
    RonB
    "There's a story there...somewhere"

  20. Re: Serious security risks found in Linux package managers

    On Jul 15, 6:52 am, "Moshe Goldfarb." wrote:
    > On Mon, 14 Jul 2008 16:22:37 -0700 (PDT), Mark S Bilk wrote:
    > > On Jul 14, 10:18 am, "Ezekiel" wrote:
    > >>http://news.zdnet.co.uk/security/0,1...9446765,00.htm

    >
    > > Despite the usual FUD from Microsoft propaganda agents
    > > ("Moshe Goldfarb" and "Clogwog" in this case) one is safe
    > > from these vulnerabilities if using the distro company's
    > > own update repository. And some fix for the problem will
    > > be implemented soon in any case.

    >
    > Let's see:
    >
    > 1. You call it FUD.
    > 2. You say it will be fixed soon....
    >
    > Try again, Bilk....


    1. There is an immediate solution, which is to use only the
    distro company's own update website. 2. The vulnerability
    for other websites will soon be fixed.

    > > At least Linux users do get prompt security updates,
    > > unlike MS-Windows victims.

    >
    > Huh?
    > Ever hear of Windows Update?
    > Fixes are released all the time, too much in fact IMHO.


    But this is only for MS-Windows itself, or maybe Windows and
    Microsoft applications, right? Not for all the application
    software that comes with the distribution, because Microsoft
    doesn't distribute other applications. Linux distribution
    administrators track updates for the thousands of other
    programs that they distribute, and send those updates on
    to the users via the same update system.

    > > I had a cable-TV service guy
    > > in here the other day -- technically knowledgeable --
    > > who looked at my Linux system --

    >
    > So did you get "serviced" Mark S. Bilk?


    Gary Stewart, here using the anonymous ID "Moshe Goldfarb",
    has been accusing me of being homosexual for the ten years
    that he's been lying about Linux on behalf of Microsoft.
    This because I've written that homosexual people should
    have the same rights as everyone else. He has forged Usenet
    posts in my name describing and soliciting unhygienic
    oral-anal sex acts. He is a fundamentalist so-called
    "Christian".

    > > He's going to switch to Linux, and all the great free
    > > software that comes with it. The software of the
    > > world community!

    >
    > Sure, and the two of you are going live happily ever after,
    > pro-create a family and die of old age...
    > Well, two out of three anyway.
    > One of the above is impossible.
    > What a loon....


    Gary Stewart is a liar, forger, and sociopath, whose goal is
    to sabotage open-source world community software, and
    have it replaced by proprietary software that's controlled
    by ultra-wealthy businessmen. Vista is the latest Microsoft
    effort in what Richard Stallman properly calls Treacherous
    Computing, which gives corporations and the government
    complete control over what information we can access and
    exchange with our computers. This effort began with
    Microsoft's "Palladium" system which would require permission
    from a government DRM server before accessing any website.

    Thus, for example, the rapidly spreading information that
    the World Trade Center towers were blown up by the
    U.S. government on 9/11/2001 (and that false-flag attack
    was then used as the pretext for destroying the U.S.
    Constitution and murdering 2,000,000 people) would be made
    inaccessible to the public by that same government.
    See http://cosmicpenguin.com

    At this point in time, free software and an unrestricted
    Internet are vital for the survival of the human species,
    since (among many other reasons) the next attack by the U.S.
    government -- against Iran -- could easily lead to a nuclear
    war. Microsoft, with its huge propaganda campaign against
    free software, is thus endangering the survival of mankind.


+ Reply to Thread
Page 1 of 2 1 2 LastLast