Last year, I had a few weeks between jobs and decided to look at the infrastructure security of random Linux distributions with the good friends at Fenrisk.
We ended up getting code execution on the Fedora Git forge hosting all package sources and on the Open Build Service instance of openSUSE. Nothing technically fancy (the usual silly argument injection bugs), but we could have effectively backdoored all their packages :Β°)
We finally presented the details last week at @1ns0mn1h4ck: https://fenrisk.com/assets/media/Don't%20let%20Jia%20Tan%20have%20all%20the%20fun_%20hacking%20into%20Fedora%20and%20OpenSUSE.pdf.
Also now available on the blog:
- Our approach: https://fenrisk.com/supply-chain-attacks
- Pagure: https://fenrisk.com/pagure
- OBS: https://fenrisk.com/open-build-service
Big kudos to distro maintainers, this was one of the most efficient disclosures of my life!
(now let's do kernel.org?)
@monsieuricon Will do! In this case we did a PoC locally and reached out to maintainers before testing on staging, I think thatβs the best way to proceed.