[zypp-devel] Re: [zypp-commit] r11689 - /trunk/zypper/src/Zypper.cc
On Mon, Nov 17, 2008 at 12:29:03PM -0000, jkupec@svn.opensuse.org wrote:
--- trunk/zypper/src/Zypper.cc (original) +++ trunk/zypper/src/Zypper.cc Mon Nov 17 13:29:03 2008 @@ -3092,6 +3092,12 @@ repo.setAlias(TMP_RPM_REPO_ALIAS); repo.setName(_("Plain RPM files cache")); repo.setKeepPackages(false); + // empty packages path would cause unwanted removal of installed rpms + // in current working directory (bnc #444897) + // OTOH packages path == ZYPPER_RPM_CACHE_DIR (the same as repo URI) + // causes cp file thesamefile, which fails silently. This may be worth + // fixing in libzypp. + repo.setPackagesPath("/tmp/zypper");
Is /tmp/zypper safe (security wise)? Also, 444897 is some dmraid bug. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
On Monday 17 November 2008 14:43:44 Michael Schroeder wrote:
On Mon, Nov 17, 2008 at 12:29:03PM -0000, jkupec@svn.opensuse.org wrote:
--- trunk/zypper/src/Zypper.cc (original) +++ trunk/zypper/src/Zypper.cc Mon Nov 17 13:29:03 2008 @@ -3092,6 +3092,12 @@ repo.setAlias(TMP_RPM_REPO_ALIAS); repo.setName(_("Plain RPM files cache")); repo.setKeepPackages(false); + // empty packages path would cause unwanted removal of installed rpms + // in current working directory (bnc #444897) + // OTOH packages path == ZYPPER_RPM_CACHE_DIR (the same as repo URI) + // causes cp file thesamefile, which fails silently. This may be worth + // fixing in libzypp. + repo.setPackagesPath("/tmp/zypper");
Is /tmp/zypper safe (security wise)?
Why such zypper special a hack, insted of fixing it? -- cu, Michael Andres +------------------------------------------------------------------+ Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4 +------------------------------------------------------------------+ Michael Andres YaST Development ma@novell.com SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) Maxfeldstrasse 5, D-90409 Nuernberg, Germany, ++49 (0)911 - 740 53-0 +------------------------------------------------------------------+ -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Andres wrote:
On Monday 17 November 2008 14:43:44 Michael Schroeder wrote:
On Mon, Nov 17, 2008 at 12:29:03PM -0000, jkupec@svn.opensuse.org wrote:
--- trunk/zypper/src/Zypper.cc (original) +++ trunk/zypper/src/Zypper.cc Mon Nov 17 13:29:03 2008 @@ -3092,6 +3092,12 @@ repo.setAlias(TMP_RPM_REPO_ALIAS); repo.setName(_("Plain RPM files cache")); repo.setKeepPackages(false); + // empty packages path would cause unwanted removal of installed rpms + // in current working directory (bnc #444897) + // OTOH packages path == ZYPPER_RPM_CACHE_DIR (the same as repo URI) + // causes cp file thesamefile, which fails silently. This may be worth + // fixing in libzypp. + repo.setPackagesPath("/tmp/zypper"); Is /tmp/zypper safe (security wise)?
Should be. The packagesPath dir is only used to copy the .rpm file from repo; any file with the same name is overwritten, then the rpm is installed & removed. An attacker would need to put a malicious rpm in place of the original very quickly. Is that an issue? If yes, i can change it to a TmpDir existing during lifetime of zypper.
Why such zypper special a hack, insted of fixing it?
Zypper install local.rpm is using a temporary plaindir repo created and added to RepoManager on-the-fly. That's why it has an empty packagesPath by default and that's why the bug (it's #445504, not 444897, sorry). So my first thought was to set it to /var/cache/zypper/RPMS (the path of the tmp _repo_), but then i realized the problem with 'cp file thesamefile'. I did not fix it, because you'll never have such setup unless you really want to. So i just set another packagesPath in zypper. - -- cheers, jano Ján Kupec YaST team - ---------------------------------------------------------(PGP)--- Key ID: 637EE901 Fingerprint: 93B9 C79B 2D20 51C3 800B E09B 8048 46A6 637E E901 - ----------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkkhmD4ACgkQgEhGpmN+6QGPxgCfavJ2f85oRj+Vxq4Y4e+AIqO+ pmAAn0SYYMwg6HucQFxU1mUgoApuge1+ =yidB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jan Kupec wrote:
Michael Andres wrote:
On Monday 17 November 2008 14:43:44 Michael Schroeder wrote:
On Mon, Nov 17, 2008 at 12:29:03PM -0000, jkupec@svn.opensuse.org wrote:
--- trunk/zypper/src/Zypper.cc (original) +++ trunk/zypper/src/Zypper.cc Mon Nov 17 13:29:03 2008 @@ -3092,6 +3092,12 @@ repo.setAlias(TMP_RPM_REPO_ALIAS); repo.setName(_("Plain RPM files cache")); repo.setKeepPackages(false); + // empty packages path would cause unwanted removal of installed rpms + // in current working directory (bnc #444897) + // OTOH packages path == ZYPPER_RPM_CACHE_DIR (the same as repo URI) + // causes cp file thesamefile, which fails silently. This may be worth + // fixing in libzypp. + repo.setPackagesPath("/tmp/zypper"); Is /tmp/zypper safe (security wise)?
Should be. The packagesPath dir is only used to copy the .rpm file from repo; any file with the same name is overwritten, then the rpm is
that is, if keeppackages = 0, as in this case
installed & removed. An attacker would need to put a malicious rpm in place of the original very quickly. Is that an issue? If yes, i can change it to a TmpDir existing during lifetime of zypper.
Why such zypper special a hack, insted of fixing it?
Zypper install local.rpm is using a temporary plaindir repo created and added to RepoManager on-the-fly. That's why it has an empty packagesPath by default and that's why the bug (it's #445504, not 444897, sorry). So my first thought was to set it to /var/cache/zypper/RPMS (the path of the tmp _repo_), but then i realized the problem with 'cp file thesamefile'. I did not fix it, because you'll never have such setup unless you really want to. So i just set another packagesPath in zypper.
- -- cheers, jano Ján Kupec YaST team - ---------------------------------------------------------(PGP)--- Key ID: 637EE901 Fingerprint: 93B9 C79B 2D20 51C3 800B E09B 8048 46A6 637E E901 - ----------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkkhmLoACgkQgEhGpmN+6QFaWACdHB/x25C67VVr3kvqY7A23QwZ kYgAniqtpziTJ6V6qO+PMXAzoffWYthS =8SEa -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
On Mon, Nov 17, 2008 at 05:13:50PM +0100, Jan Kupec wrote:
Should be. The packagesPath dir is only used to copy the .rpm file from repo; any file with the same name is overwritten, then the rpm is installed & removed. An attacker would need to put a malicious rpm in place of the original very quickly. Is that an issue?
I think so, there exists lots of attacks which exploit exaclty such races.
If yes, i can change it to a TmpDir existing during lifetime of zypper.
Please do. Thanks, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael Schroeder wrote:
On Mon, Nov 17, 2008 at 05:13:50PM +0100, Jan Kupec wrote:
Should be. The packagesPath dir is only used to copy the .rpm file from repo; any file with the same name is overwritten, then the rpm is installed & removed. An attacker would need to put a malicious rpm in place of the original very quickly. Is that an issue?
I think so, there exists lots of attacks which exploit exaclty such races.
If yes, i can change it to a TmpDir existing during lifetime of zypper.
Please do.
OK, done. - -- cheers, jano Ján Kupec YaST team - ---------------------------------------------------------(PGP)--- Key ID: 637EE901 Fingerprint: 93B9 C79B 2D20 51C3 800B E09B 8048 46A6 637E E901 - ----------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkkhnM8ACgkQgEhGpmN+6QFIswCfb+WxaL5GA3ENe/Taxe5xos2t wv8An3BEBHrNwyVvbU4lofs8ZNxROBvo =tJoO -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org For additional commands, e-mail: zypp-devel+help@opensuse.org
participants (3)
-
Jan Kupec
-
Michael Andres
-
Michael Schroeder