“security issue” with package managers/updaters
July 11, 2008
I’ve been pointed to this paper a number of times in the last week and I wanted to comment on it briefly.
Specifically this page as a concern. Here’s where I’m confused. If your pkg manager finds unsigned or invalidly-signed repository metadata then what? Does it bail out and throw up an alert? Does it just continue using the last validly-signed metadata it has?
In either of those cases unless the user is noting/monitoring for errors/alerts and/or doing the update manually then they’ll never know that they didn’t get their updates. Heck, we’ve found that despite outputting a message like ‘OH MY GOD THIS DIDN’T WORK, YOU SHOULD CHECK IT’ that users don’t understand what they mean and/or don’t see them.
The only actual way to avoid being vulnerable to any/all of these problems is to verify that what you want to have updated/installed on your systems is what IS on your systems.
It’s like saving a file in a text editor. Sure, you’re confident that your save command saved the file but anyone who has ever worked on something important has pressed ‘save’ then taken the file it saved it to, opened it in another window or on another machine to verify that it did, in fact, save, before you close the window you were working in.
Securing a system should be approached with the same behavior. If you’re worried that your system is not updating, then verify that it is. Better yet, setup monitoring to verify this for you and occasionally check your monitoring out.