“security issue” with package managers/updaters

July 11, 2008

I’ve been pointed to this paper a number of times in the last week and I wanted to comment on it briefly.

Specifically this page as a concern. Here’s where I’m confused. If your pkg manager finds unsigned or invalidly-signed repository metadata then what? Does it bail out and throw up an alert? Does it just continue using the last validly-signed metadata it has?

In either of those cases unless the user is noting/monitoring for errors/alerts and/or doing the update manually then they’ll never know that they didn’t get their updates. Heck, we’ve found that despite outputting a message like ‘OH MY GOD THIS DIDN’T WORK, YOU SHOULD CHECK IT’ that users don’t understand what they mean and/or don’t see them.

The only actual way to avoid being vulnerable to any/all of these problems is to verify that what you want to have updated/installed on your systems is what IS on your systems.

It’s like saving a file in a text editor. Sure, you’re confident that your save command saved the file but anyone who has ever worked on something important has pressed ‘save’ then taken the file it saved it to, opened it in another window or on another machine to verify that it did, in fact, save, before you close the window you were working in.

Securing a system should be approached with the same behavior. If you’re worried that your system is not updating, then verify that it is. Better yet, setup monitoring to verify this for you and occasionally check your monitoring out.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: