http://bugzilla.opensuse.org/show_bug.cgi?id=975835 Bug ID: 975835 Summary: Repository information should not be writable by any user for security reasons Classification: openSUSE Product: openSUSE.org Version: unspecified Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Wiki Assignee: ddemaio@novell.com Reporter: bjoernv@arcor.de QA Contact: adrian@suse.com Found By: --- Blocker: --- Because of incorrect or outdated repository information here https://de.opensuse.org/Paket_Repositorys (version from 2015-04-14) I messed up the packages on one of my systems. Tumbleweed repos pointed to openSUSE-current (which is currently Leap 42.1 and I didn't verified this). I updated the Wiki page, so that other users will not go into this trap. I think, the more general problem is, that every authenticated openSUSE user can publish false repository information. An attacker could create a website (let's say: opensus.org with a missing "e" in openSUSE) with malware infected openSUSE packages. Then he changes the repository information on some Wiki pages. E.g. the main repository for Leap 42.1 can be changed from http://download.opensuse.org/tumbleweed/repo/oss/ to http://download.opensus.org/tumbleweed/repo/oss/ Verifying GPG keys is costly for users, so probably also a false GPG key will be accepted. I suggest to change the access rights of Wiki pages like https://en.opensuse.org/Package_repositories and https://de.opensuse.org/Paket_Repositorys so that only SuSE employees (or a subset of SuSE employees) can change this page. Unfortunately also other Wiki pages can contain false repository information, e.g. installation HOWTOs like https://en.opensuse.org/openSUSE:Tumbleweed_installation And even if the access rights for additional pages can be restricted too, an attacker can create new Wiki pages. -- You are receiving this mail because: You are on the CC list for the bug.