Snott

Author: snott

  • Pacman 4 arrives with package signing!

    Pacman 4 arrives with package signing!

    Pacman 4 has just been pushed into core after being in the testing repo for a while, this new version of pacman comes with a lot of new features and improvements over the older version, mainly:

    • well-integrated and powerful signed packages and databases support in pacman, the library, and scripts (FS#5331)
    • many code cleanup commits across library/binaries/scripts
    • add new -S --recursive operation to upgrade a full dep chain
    • allow -U operation even without sync databases (FS#26899)
    • handle PGP signatures with a .sign extension

    Among many others, these improvements can prove to be a deciding factor in some users switching to Arch from other Linux distros, specially those who are paranoid about security.

    Please note that if you are upgrading from the older pacman versions you would need to use a new tool called pacman-key to set up your keyring, like so:

    pacman-key –init

    Dont forget to either login as root or use sudo so you can execute this command. In my case, I had to do and extra step to get the package signing to work, as the Arch Linux news update suggested, package signing was in fact NOT disabled for me, so after I upgraded and did a pacman -Syu the output came out like this:

    Import PGP key 4FA415FA, "Jan Alexander Steffens (heftig) ", created 2011-08-25? [Y/n] y
    (31/31) checking package integrity error: coreutils: key "F99FFE0FEAE999BD" is unknown
    Import PGP key EAE999BD, "Allan McRae ", created 2011-06-03? [Y/n] y
    error: fontforge: signature from "Gaetan Bisson " is unknown trust error:
    libreoffice-draw: signature from "Andreas Radke "
    failed to commit transaction (invalid or corrupted package (PGP signature))
    Errors occurred, no packages were upgraded.


    So I was unable to update the system because pacman didn't trust any developers, so I turned to Allan McRae blog and found out a way to trust the developers by using the provided Master Keys: 

    for key in FFF979E7 CDFD6BB0 4C7EA887 6AC6A4C2 824B18E8; do
    pacman-key --recv-keys $key
    pacman-key --lsign-key $key
    printf 'trust\n3\nquit\n' | gpg --homedir /etc/pacman.d/gnupg/ \
        --no-permission-warning --command-fd 0 --edit-key $key
done

    That will effectively add those keys to the keyring and validate the downloaded packages succesfully, please note that this keys are being given "marginal" trust by default, as the PGP web of trust is set up such that if a key is signed by three keys of marginal trust, then that key will be trusted. In case you want to do this procedure manually and add every developer and Trusted user instead of just the Master Keys, you will need to use the pacman-key tool, get the PGP keys from the devs and trusted users and add them to the keyring, if you want more details, you can go to the pacman-key wiki page, linked on this same paragraph.

    What do you think of the new pacman? do you like it? hate it? please leave a comment with your opinion!

  • WineHQ database hacked!
    WineHQ database hacked!
    The WineHQ website reported to all of it users today about a security breach, and reset everyone’s passwords to avoid more harm being done.
    The hackers took advantage in a vulnerability of phpmyadmin, a utility used for managing databases and users.
    Here is the complete announcement posted in the mailing list:
    Hi,

I am sad to say that there was a compromise of the WineHQ database system.

What we know at this point that someone was able to obtain unauthorized
access to the phpmyadmin utility.  We do not exactly how they obtained
access; it was either by compromising an admins credentials, or by
exploiting an unpatched vulnerability in phpmyadmin.

We had reluctantly provided access to phpmyadmin to the appdb developers
(it is a very handy tool, and something they very much wanted).  But it
is a prime target for hackers, and apparently our best efforts at
obscuring it and patching it were not sufficient.

So we have removed all access to phpmyadmin from the outside world.

We do not believe the attackers obtained any other form of access to the
system.

On the one hand, we saw no evidence of harm to any database. We saw no
evidence of any attempt to change the database (and candidly, using the
real appdb or bugzilla is the easy way to change the database).

Unfortunately, the attackers were able to download the full login
database for both the appdb and bugzilla.  This means that they have all
of those emails, as well as the passwords.  The passwords are stored
encrypted, but with enough effort and depending on the quality of the
password, they can be cracked.

This, I'm afraid, is a serious threat; it means that anyone who uses the
same email / password on other systems is now vulnerable to a malicious
attacker using that information to access their account.

We are going to be resetting every password and sending a private email
to every affected user.

This is again another reminder to never use a common username / password
pair.  This web site provides further advice as well:
http://asiknews.wordpress.com/2011/03/02/best-practice-password-management-for-internet-web-sites/

I am very sad to have to report this.  We have so many challenges in our
world today that this is a particularly painful form of salt for our wounds.

However, I think it is urgent for everyone to know what happened.

Cheers,

Jeremy