Flaws found in BSD, Linux software updaters

Though Linux and the BSD are considered to be very safe and secure operating systems, they are the products of human beings and hence not perfect:

The software update mechanisms used by most BSD and Linux operating systems can be tricked into installing buggy or known-to-be-compromised software on users’ systems, creating serious security risks, according to new research.

The study Package Management Security, to be published in a forthcoming issue of the university of Arizona Tech Report, analysed 10 package managers and found that all were vulnerable to exploits, allowing attackers to install unsafe software on target systems.

Package managers are designed to automatically keep software up-to-date and thus safe from known vulnerabilities. The packages analysed in the study were APT, APT-RPM, Pacman, portage, Ports, Slaktool, Stork, Urpmi, Yast and YUM.

Read the rest of the article here.

Securing FreeBSD’s update system could be a nice project for which funding could be requested. The FreeBSD Foundation is now requesting project proposals to improve FreeBSD. If there’s anybody out there with ideas on building in better security measures read on:

The FreeBSD Foundation is pleased to announce we are soliciting the submission of proposals for work relating to any of the major subsystems or infrastructure within the FreeBSD operating system.  A budget of $80,000 was allocated for 2008 to fund multiple development projects.

Proposals will be evaluated based on desirability, technical merit and cost-effectiveness.

To find out more about the proposal have a look here.


  1. says

    Most people see this so-called paper more as advertising for their own package management system (stork) than as real scientific paper. In fact there is almost no information toward *BSD, just a short mentioning of FreeBSD-update (ftp://ftp.cs.arizona.edu/reports/2008/TR08-02.pdf – page 18). And there is some real misleading information in terms of apt or rpm.

    For example: http://lists.opensuse.org/opensuse-security-announce/2008-07/msg00005.html

    And the source: http://www.cs.arizona.edu/people/justin/packagemanagersecurity/

    So in the end, nice advertising and the usual low quality of Zdnet.

    >Securing FreeBSD’s update system could be a nice project for which funding could be requested.

    That would be of course nice, but then we should first gather real facts than mere fiction.

  2. Gerard says

    I’m not an expert on update managers, so I’m sorry if I’ve linked to an article with incorrect data.
    One reason for referring to this article was that I want to be balanced with this blog. I don’t want to look like saying FreeBSD is the best OS in the world and there’s nothing wrong with it. Of course it’s not perfect. Readers are entitled to true facts and a balanced view.

  3. says

    I think what would really be beneficial to FreeBSD Project would be to start a group/mailing list/ documentation on “Best Practice” eg. This Project should cover, security, DRP, business continuity, it could be a very nice Documentation project for Business that want to implement FreeBSD in their organization.

    If there is anyone who wants assistance on research for the Papers that they would like to submit, I’m willing to help out. (Just reply in the comments :D )

    Also, Updating I really feel the Foundation can take this up, I believe that ‘freebsd-update’ is already a step in the right direction!

  4. says

    You can delete the 2nd posting :-)

    There is nothing wrong with your attitude, but everyone is referring to this paper while pointing at Linux _and_ BSD. And in the end they just mentioned FreeBSD (not the ports) packages and freebsd-update with some words.

  5. says

    Took a brief look at the paper, couldn’t really see what the fuss was about, as to why this justifies calling the updates flawed. Its kind of like saying a big flaw has been found in E-mail because it isn’t secure end to end. Its not a flaw its just the way it works. In practice, admins and users can take steps to improve the security.


Leave a Reply

Your email address will not be published. Required fields are marked *