[Dev] Mirrors vulnerability issue, Many outdated installs in the wild
Denis 'GNUtoo' Carikli
GNUtoo at no-log.org
Sat Feb 13 22:06:38 GMT 2016
Hi,
Summary:
--------
If you used the default pacman mirrorlists, your system is not up to
date.
http://parabolagnulinux.mirrors.linux.ro/$repo/os/$arch was the default
mirror in /etc/pacman.d/mirrorlist
That mirror was not updated for a while, so people using the default
configuration are still stuck with an old mirrorlist pointing to a
mirror that is not updated anymore...
How to check if you are affected:
---------------------------------
> # pacman -Q -o /etc/pacman.d/mirrorlist
> /etc/pacman.d/mirrorlist is owned by pacman-mirrorlist
> 20151101-1.parabola1
> # mkdir tmp && cd tmp && tar \
> xf /var/cache/pacman/pkg/pacman-mirrorlist-20151101-1.parabola1-any.pkg.tar.xz
> # diff -u etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist ; echo $?
> 0
> # grep "^Server" /etc/pacman.d/mirrorlist | head -n1
> Server = http://parabolagnulinux.mirrors.linux.ro/$repo/os/$arch
How should Parabola deal with it:
---------------------------------
We need various solutions, for shorter and longer term.
As for shorter term, we probably need to make sure the mirrorlist is
coming from a trusted mirror that can be updated.
We should of course use transports that can't be tempered with, such
as https or onion services it. Else a man in the middle can just
replace what is being downloaded by older versions.
We should also warn the users on the parabola website as soon as
possible.
I should also do a proper bugreport.
I've also no idea how CVE are created.
Medium term:
------------
We might want to split the db update files from the packages, and make
the parabola infrastructure serve them, still with a transport that
can't be tempered with to avoid man in the middle attacks.
Long term:
----------
We should make sure that pacman update the db files safely, in a
distributed manner.
I've also heard about an update framework that
address some of the issue https://theupdateframework.github.io/ but I
didn't look into it yet.
Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160213/c6e98084/attachment.sig>
More information about the Dev
mailing list