Techly NewsGet the app

Get the latest tech news

Supply Chain Attacks on Linux Distributions – Fedora Pagure


This is a guest blogpost by friend of Fenrisk, Thomas Chauchefoin. Why Pagure? As discussed in the meta-article, we picked Pagure from the Fedora Apps Directory and already had a technical approach in mind.

These bugs would have allowed us to modify any of the repositories stored on Pagure and thus the specification of any Fedora package to change its upstream sources, scripts or distribution patches. CVE-2024-47516: Argument Injection in PagureRepo.log() As we expected, strace and a quick manual bottom-up code review reveal many calls to the git binary, despite Python bindings around libgit2 being available in the project. Because triggering the injection doesn’t require an account on the Pagure instance, we started thinking about what could be truncated or replaced with the history of a repository that was not under our control, like Git hooks or configuration files.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of supply chain attacks

supply chain attacks

Photo of linux distributions

linux distributions

Photo of fedora pagure

fedora pagure

Related news:

News photo

Supply Chain Attacks on Linux Distributions

News photo

A Study of Malware Prevention in Linux Distributions

News photo

Five ways AI is helping to reduce supply chain attacks on DevOps teams

« Show HN: LinkedIn sucks, so I built a better one
SMA America releases 99.2% efficient grid-scale battery storage inverter »