Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: rzeznikj at stout

WOW, you better be CAREFUL! There's a known vulnerability just out about using YaST, you could be trojaned if you're not real careful about where you're getting your updates.

http://www.linuxsecurity.com/content/view/121777/112/

Problem Description and Brief Discussion

This is a reissue of SUSE-SA:2006:009, after we found out that also
gpg version < 1.4.x are affected by the signature checking problem
of CVE-2006-0455.

With certain handcraft-able signatures GPG was returning a 0 (valid
signature) when used on command-line with option --verify.

This could make automated checkers, like for instance the patch file
verification checker of the YaST Online Update, pass malicious patch
files as correct and allow remote code execution.

Also, the YaST Online Update script signature verification had used a
feature which was not meant to be used for signature verification,
making it possible to supply any kind of script which would be
considered correct. This would also allow code execution.


133 posted on 03/08/2006 5:21:23 PM PST by Golden Eagle
[ Post Reply | Private Reply | To 129 | View Replies ]

To: Golden Eagle

Wait a minute...so you're saying we should be CAREFUL about where we install software from? Wow. What a revelation. Thanks for telling me this. Up to this point, I've been browsing around, clicking willy-nilly on whatever I want and installing it to my system like a crazy person, automatically answering yes to all dialogues that came up. Guess I better cut that out.

Man, it's a good thing we don't have to worry about such things in Windows, huh?

/sarcasm


138 posted on 03/08/2006 6:13:46 PM PST by FLAMING DEATH (And now, for something completely different: www.donaldlancow.com)
[ Post Reply | Private Reply | To 133 | View Replies ]
To: Golden Eagle
They found it a week ago, and they've had updated packages in place. I ran the online update after installing 10.0--running the update on security packages under YaST.

Second, it requires someone to be futzing with the mirror directly or the commmunication--you'd have to be running a defacto install with no security measures, and the connection to the specific server turned on.

Third, you don't have to run YaST at all to update--you can d/l the packages and install with KPackage. Or, you can d/l the packages to a local directory and set the YaST installer to only run from the CD's and the local directory.

Finally, you can put the updated packages that fix the problem. The updated pkgs came up when I ran my first update and they were installed. I suspect other Suse users did the same thing.

The problem isn't as bad as ones I've seen on my peers' computers--they get trojaned just by running the OS.

141 posted on 03/08/2006 7:01:53 PM PST by rzeznikj at stout (This is a darkroom. Keep the door closed or you'll let all the dark out...)
[ Post Reply | Private Reply | To 133 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson