Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Security
wget vulns
steve at stevemurphy
Dec 12, 2004, 9:58 AM
Post #1 of 4 (1405 views)
Permalink
All

Having read the portage signing debate and concern about issues WRT
signing of portage, does this all becomes irrelevant if the simple act
of downloading the source borks your system?

http://seclists.org/lists/bugtraq/2004/Dec/0105.html

So far it has been demonstrated you can only go one level below, but
that is /usr/portage!

Is this serious? Is it worth doing emerge -f as a 'safe' user?



Steve
Re: wget vulns [ In reply to ]
krispykringle at gentoo
Dec 12, 2004, 11:19 AM
Post #2 of 4 (1376 views)
Permalink
Hi Steve,

This vulnerability is already in our bugzilla at
http://bugs.gentoo.org/show_bug.cgi?id=74008. A fix will be out
shortly. In the meantime, if you are concerned, there are plenty of
alternatives to wget (curl, Perl + LWP, etc).

Cheers,
Dan

On Sun, Dec 12, 2004 at 04:58:26PM +0000, Steve Murphy wrote:
> All
>
> Having read the portage signing debate and concern about issues WRT
> signing of portage, does this all becomes irrelevant if the simple act
> of downloading the source borks your system?
>
> http://seclists.org/lists/bugtraq/2004/Dec/0105.html
>
> So far it has been demonstrated you can only go one level below, but
> that is /usr/portage!
>
> Is this serious? Is it worth doing emerge -f as a 'safe' user?
>
>
>
> Steve

--
gentoo-security@gentoo.org mailing list
Re: wget vulns [ In reply to ]
steve at stevemurphy
Dec 21, 2004, 3:24 PM
Post #3 of 4 (1357 views)
Permalink
-On Sun, 2004-12-12 at 13:19 -0500, Dan Margolis wrote:
> Hi Steve,
>
> This vulnerability is already in our bugzilla at
> http://bugs.gentoo.org/show_bug.cgi?id=74008. A fix will be out
> shortly. In the meantime, if you are concerned, there are plenty of
> alternatives to wget (curl, Perl + LWP, etc).
>

Hi, thanks for your speedy reply and good to know you are on the case.

My reply being much tardier, I was really querying whether runing wget
as root during an emerge is safe.

When everything downloaded is signed and we choose to trust a key - how
can we trust the integrity of signatures or those programs used to
validate them when we allow wget to run as root. Wget as root would
allow a hacked mirror or spoofed mirror to exploit any vulnerability in
wget. Should wget run as a restricted user.

Of course, the same argument could be used against validating signatures
- a 'specialaly crafted' signature could be developed to exploit bugs in
that software, so that should also to run as a different user - but
according to the original report wget is a priority case:

http://seclists.org/lists/bugtraq/2004/Dec/0105.html

-> In the current maintainer's own words: ``[T]he code is buggy, poorly
-> commented, very hard to understand, extremely resistant to changes
-> and looks like a bunch of patches put together in a careless way.

Steve (not an expert so happy to be proven wrong).



--
gentoo-security@gentoo.org mailing list
Re: wget vulns [ In reply to ]
jaervosz at gentoo
Dec 21, 2004, 3:40 PM
Post #4 of 4 (1366 views)
Permalink
Hi Steve,

On Tuesday 21 December 2004 23:24, Steve Murphy wrote:
> My reply being much tardier, I was really querying whether runing wget
> as root during an emerge is safe.
This is also already in Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=74797

--
Sune Kloppenborg Jeppesen (Jaervosz)
Operational Manager
Gentoo Linux Security Team

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal