On Sun, 6 Jun 2010 12:28:27 +1000 Erik de Castro Lopo wrote: > Hi All, > > Did anyone see this paper: > > A Look In the Mirror: Attacks on Package Managers > http://www.cs.arizona.edu/~jhh/papers/ccs08.pdf > > It suggests that anyone who has control of a mirror can cause client > machines to install software created by the attacker or install an > outdated version of a package with a vulnerability the attacker knows > how to exploit.
All of the issues raised in this paper can be mitigated by a "proactive" user. Malicious mirror activity can be detected by paying attention to debsecan and the security tracker [0]. debsecan displays all known vulnerable packages on a particular system, and the security tracker displays all known vulnerable packages. Differences between the two for a period longer than about a week would be a sign that the mirror is intentionally holding back vulnerable packages. Of course the major flaw with this statement is that there aren't a whole these "proactive" users. However, if there are enough, some will spot the activity, and raise concern, which will ultimately protect others when the evil mirror is shut down. Mike [0] http://security-tracker.debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100606003753.f701e457.michael.s.gilb...@gmail.com
