Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Red Hat 7.2 GnuPG signed RPM verification fails on distribution files

Red Hat 7.2 GnuPG signed RPM verification fails on distribution files

by Majik on October 24th, 2001 History of advisory:
Oct 23, 2001 While downloading Red Hat 7.2 Kurt Seifried noticed
various packages were not GnuPG signed.


Overview:


Red Hat 7.2 distribution files on popular ftp sites such as


ftp.ibiblio.org and mirrors.hpcf.upr.edu are not signed. It is


unlikely that this is an attack as the number of sites involved makes


it likely someone would have noticed and notified the community.


Either Red Hat did not sign these packages, or someone subverted the


distribution process before the files got to various sites. For Red


Hat 7.1 please note that all files were correctly signed with the Red


Hat GnuPG security key.









Impact:


An attacker can create RPM's that will not appear any different from


the real ones, as they do not need to be signed. Finding the MD5 sums


of the files in trusted locations is very difficult (I cannot find


any lists).









Details:


Red Hat has released Red Hat 7.2, a much anticipated release.


Typically all the rpm distribution files are signed, making it very


easy to verify their correctness. Since numerous packages are not


signed it becomes trivial for an attacker to replace packages on a


distribution site with no-one being able to easily verify that they


have been subverted. An attacker would not even need to modify or add


files to the package, instead they could add a preinstall,


postinstall, preuninstall or postuninstall script that would be


capable of compromising the system since these scripts run with root


privileges. Packages include rpmdb-redhat and redhat-release.









Solutions and workarounds:


None available. Red Hat needs to sign the packages properly with


GnuPG.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »