September 2017 - openSUSE Security - openSUSE Mailing Lists

[opensuse-security] Build Service key
by linux maillist 04 Oct '17

04 Oct '17

Hello, I think the buildservice(a)opensuse.org key ( 0x6B9D6523) can be regarded a very important key. Thus, I wonder why is it not signed by the SUSE security team? It is signed by Marcus Meissner, which is fine, but shouldn´t such an important key be signed as well by the security team or at least by the openSUSE project signing key? IMHO that would grant a stronger chain of trust for that key..... -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

5 4

[opensuse-security] does CVE-2017-9798 affect us?
by Mathias Homann 27 Sep '17

27 Sep '17

Hi, just came across https://arstechnica.com/information-technology/2017/09/ apache-bug-leaks-contents-of-server-memory-for-all-to-see-patch-now/, does CVE-2017-9798 affect openSUSE/SLES/SLED? Cheers Mathias -- Mathias Homann Senior Systems Engineer, IT Consultant. IT Trainer Mathias.Homann(a)openSUSE.org http://www.tuxonline.tech gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102

3 3

[opensuse-security] security holes in nvidia driver
by Mathias Homann 27 Sep '17

27 Sep '17

Hi guys, this just in: http://nvidia.custhelp.com/app/answers/detail/a_id/4544 Seems that there are several security-relevant holes in nvidia drivers that can be exploited to gain local root access. Please update the provided drivers to the versions listed on that page or better quickly. Cheers Mathias -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 1

[opensuse-security] Doubt on the security model of OBS repo signing
by star＠aosc.io 18 Sep '17

18 Sep '17

## Prelude Recently I received checksum error during system upgrade, something like this: > 2017-09-11 20:28:48 <1> brilliant-laptop(25623) [zypp++] > MediaCurl.cc(log_redirects_curl):135 redirecting to Location: > http://ftp-srv2.kddilabs.jp/Linux/packages/opensuse/tumbleweed/repo/oss/sus… > 2017-09-11 20:28:48 <2> brilliant-laptop(25623) [FileChecker] > FileChecker.cc(operator()):64 File > /var/cache/zypp/packages/repo-oss/suse/noarch/qemu-sgabios-8-1.1.noarch.rpm > has wrong checksum sha1-1f96e12b066af531cec4d104fa4522966fb8af4f > (expected sha1-18f04703e82b012340400398f0b7404b07b77769) I think my ISP might have a transparent proxy server to save their bandwidth, and the file on that proxy server might be broken. I have been even once offered a corrupted installer ISO! (which installed without any error in a test VM.) I am not sure if I am suffering from a deliberate MITM attack. So I spent some time investigating the security model of openSUSE package delivering. ## Investigation I set up Wireshark and some other tools to capture the network data. Here are my findings. (If anything below is wrong, please tell me.) - All official repos (repo-debug, repo-non-oss, repo-oss, repo-source, repo-update) are HTTP, but their GPG keys are preloaded in the installer ISO. If the user checksums their installation media, this will be safe enough. - If the user choose to One-Click-Install an "unstable package" on software.opensuse.org, the ymp script is served in HTTPS, but OBS repository URLs are HTTP by default. - OneClickInstallUI fetches repomod.xml.key in plain HTTP, and asks the user whether to "Import Untrusted GPG Key". - It is not easy to check whether the GPG key is correct by hand & eye. At least it is not one-click-available, since the "GPG Key / SSL Certificate" button is only visible on the page of your own OBS project. - It is lucky that repomod.xml.key is not distributed to 3rd-party mirrors by MirrorBrain. Although mirrors can do no evil to the key, it might still be vulnerable to an MITM attack. Conclution, official repos are safe, but OBS repos are something we might be careful. Although openSUSE is not responsible for the quality of the software in user repos, it had better to lengthen the shortest stave on the security barrel for the user. ## Suggestions It might be difficult to modify the current architecture. I want to suggest some ways to make it better. I am not sure if they works, let's just discuss them. 1. Embedding the GPG key in ymp script. This might require modification to OneClickInstallUI, and it is safe once ymp is served with HTTPS. Any 3rd-party repo may benefit from the feature by embedding their keys. 2. Showing GPG key in a place where the user can never miss it. Also educate the user to check it. This include not hiding the "GPG Key / SSL Certificate" button to repo not owned by oneself. In addition, put it on both build.opensuse.org and software.opensuse.org. 3. Alternatively, serving the repo metadata in HTTPS, but packages in HTTP. This requires least modification to the client. Since repomod.xml.key is already bypassing MirrorBrain, simply modify the repo's URL to HTTPS will make it safe. As side-effects, it will increase the load to download.opensuse.org server, and will increase the time required to do a "zypper refresh". Anyway, if I made any mistake in this mail, please tell me. I hope openSUSE could be more secure and easier to use. -- StarBrilliant -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

2 3