[Dev] Mirrors vulnerability issue, Many outdated installs in the wild

Denis 'GNUtoo' Carikli GNUtoo at no-log.org
Sat Feb 13 22:06:38 GMT 2016


Hi,

Summary:
--------
If you used the default pacman mirrorlists, your system is not up to
date.

http://parabolagnulinux.mirrors.linux.ro/$repo/os/$arch was the default
mirror in /etc/pacman.d/mirrorlist

That mirror was not updated for a while, so people using the default
configuration are still stuck with an old mirrorlist pointing to a
mirror that is not updated anymore...

How to check if you are affected:
---------------------------------
> # pacman -Q -o /etc/pacman.d/mirrorlist
> /etc/pacman.d/mirrorlist is owned by pacman-mirrorlist
> 20151101-1.parabola1
> # mkdir tmp && cd tmp && tar \
> xf /var/cache/pacman/pkg/pacman-mirrorlist-20151101-1.parabola1-any.pkg.tar.xz
> # diff -u etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist  ; echo $?
> 0
> # grep "^Server" /etc/pacman.d/mirrorlist | head -n1
> Server = http://parabolagnulinux.mirrors.linux.ro/$repo/os/$arch

How should Parabola deal with it:
---------------------------------
We need various solutions, for shorter and longer term.

As for shorter term, we probably need to make sure the mirrorlist is
coming from a trusted mirror that can be updated.

We should of course use transports that can't be tempered with, such
as https or onion services it. Else a man in the middle can just
replace what is being downloaded by older versions.

We should also warn the users on the parabola website as soon as
possible.

I should also do a proper bugreport.
I've also no idea how CVE are created.

Medium term:
------------
We might want to split the db update files from the packages, and make
the parabola infrastructure serve them, still with a transport that
can't be tempered with to avoid man in the middle attacks.

Long term:
----------
We should make sure that pacman update the db files safely, in a
distributed manner.

I've also heard about an update framework that
address some of the issue https://theupdateframework.github.io/ but I
didn't look into it yet.

Denis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160213/c6e98084/attachment.asc>


More information about the Dev mailing list