[ Thanks to DeepEnd for this link.
]
“Red Hat downplayed a security expert’s report today of
potential security problems with the latest release of its popular
operating system software.The company confirmed that two files distributed with Red Hat
Linux 7.2 lack digital signatures used for determining their
authenticity. But Red Hat does not consider the issue a security
threat, according to Marty Wesley, operating system product manager
for Red Hat. “Security should always be an important concern, but
this is not a security problem,” said Wesley.”
From: "Kurt Seifried"
Subject: Red Hat 7.2 GnuPG signed RPM verification fails on distribution
files
Date: Tue, 23 Oct 2001 03:17:16 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kurt Seifried Security Advisory 002 (KSSA-002)
http://www.seifried.org/security/advisories/kssa-002.html
By Kurt Seifried, kurt@seifried.org
- ----------------------------------------------------------------------
- ----------
Title:
Red Hat 7.2 GnuPG signed RPM verification fails on distribution files
Issue date:
Oct 23, 2001
History of advisory:
Oct 23, 2001 While downloading Red Hat 7.2 Kurt Seifried noticed
various packages were not GnuPG signed.
Author:
Kurt Seifried kurt@seifried.org
Credits:
N/A
Overview:
Red Hat 7.2 distribution files on popular ftp sites such as
ftp ftp.ibiblio.org and mirrors.hpcf.upr.edu/ are not signed. It is
unlikely that this is an attack as the number of sites involved makes
it likely someone would have noticed and notified the community.
Either Red Hat did not sign these packages, or someone subverted the
distribution process before the files got to various sites. For Red
Hat 7.1 please note that all files were correctly signed with the Red
Hat GnuPG security key.
Vendor Contact:
security@redhat.com
Impact:
An attacker can create RPM's that will not appear any different from
the real ones, as they do not need to be signed. Finding the MD5 sums
of the files in trusted locations is very difficult (I cannot find
any lists).
Details:
Red Hat has released Red Hat 7.2, a much anticipated release.
Typically all the rpm distribution files are signed, making it very
easy to verify their correctness. Since numerous packages are not
signed it becomes trivial for an attacker to replace packages on a
distribution site with no-one being able to easily verify that they
have been subverted. An attacker would not even need to modify or add
files to the package, instead they could add a preinstall,
postinstall, preuninstall or postuninstall script that would be
capable of compromising the system since these scripts run with root
privileges. Packages include rpmdb-redhat and redhat-release.
Solutions and workarounds:
None available. Red Hat needs to sign the packages properly with
GnuPG.
References:
N/A
- ----------------------------------------------------------------------
- ----------
Permission is granted for copying and circulating this Bulletin to
the Internet community for the purpose of alerting them to problems,
if and only if, the bulletin is not edited or changed in any way, is
attributed to Kurt Seifried, and provided such reproduction and/or
distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. Kurt Seifried is not
liable for any misuse of this information by any third party.
- ----------------------------------------------------------------------
- ----------
Back
Last updated 10/23/2001
Copyright Kurt Seifried 2001
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use
iQA/AwUBO9U1l61jC06tVuV0EQJ76gCfdChJVLprIOAjJUyP1fd3qzxp/AwAnjCM
7gYeqrYPH/y6VktGVqRnz15i
=C5/O
-----END PGP SIGNATURE-----