Re: leaks in our only-signed-software fortress

[Christoph Anton Mitterer <calestyo@scientia.net>]

Am 18.02.2012 13:32, schrieb Jakub Wilk:
> I'll add to the list:
> - Packages that download and run untrusted code at build time.
May I add a similar case...
Take the non-free flash as example... (yeah I know it's non-free and 
not officially sec-supported)..
Even if it would use some SHA512 sums (hardcoded into the package) to 
verify the download (I don't know whether it does),.. the update 
mechanism is still outsite of the package management system (on has to 
call update-flash or something like that)... so you bypass the whole 
central point of update management.


> FWIW, the Contents files _are_ signed, but AFAICS apt-file doesn't
> verify the signature.
See #515942.


> But why is that a big deal?
What do you mean? Of not verifying it? Well as always someone can 
attack you if you somehow (for whatever reason) rely on the information 
being correct.
Moreover, if there is some automatic parsing of those files, you can 
also easily think of attack vectors by manipulating files,..


> Could you point us to those which were ignored or denied?
Phew... would have to do a lot of digging in my mails and bug reports 
to find them out again.


Cheers,
Chris.