/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

make qubes-receive-updates more defensive #356

Closed
marmarek opened this Issue Mar 8, 2015 · 1 comment

Comments

Assignees

@rootkovska rootkovska

Labels
Projects
None yet
Milestone
  Release 1 Beta 2
2 participants
@marmarek @rootkovska
@marmarek
Member

marmarek commented Mar 8, 2015

Reported by rafal on 16 Sep 2011 14:10 UTC

  1. output.find("pgp") will return true if attacker sends unsigned rpm with "pgp" in the package name.
    Make it regex check, with "pgp md5 OK$" ?
  2. we should check that the downloaded file is a regular file (and not a symlink to e.g. /dev/zero).

Migrated-From: https://wiki.qubes-os.org/ticket/356
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Mar 8, 2015

Member

Comment by rafal on 16 Sep 2011 15:08 UTC
Fixed in http://git.qubes-os.org/?p=rafal/core.git;a=commit;h=2950ee717005eb148461c83a92eb088c9a542f92
prebeta2 branch.
Member

marmarek commented Mar 8, 2015

Comment by rafal on 16 Sep 2011 15:08 UTC
Fixed in http://git.qubes-os.org/?p=rafal/core.git;a=commit;h=2950ee717005eb148461c83a92eb088c9a542f92
prebeta2 branch.

@marmarek marmarek assigned rootkovska Mar 8, 2015

@marmarek marmarek added this to the Release 1 Beta 2 milestone Mar 8, 2015

@marmarek marmarek added bug C: core P: major labels Mar 8, 2015

@marmarek marmarek closed this Mar 8, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment