Re: download.pl lets arbitrary stuff through

To: debian-www@lists.debian.org
Subject: Re: download.pl lets arbitrary stuff through
From: Stefan Scheler <stefan@scheler.com>
Date: Tue, 12 Dec 2006 08:00:54 +0100
Message-id: <[🔎] ellk3k$o0g$1@sea.gmane.org>
In-reply-to: <[🔎] 20061211224529.GC11081@javifsp.no-ip.org>
References: <[🔎] 20061211191711.GA2448@pcpool00.mathematik.uni-freiburg.de> <[🔎] 20061211200347.GA12277@javifsp.no-ip.org> <[🔎] elkfs7$lpt$1@sea.gmane.org> <[🔎] 20061211224529.GC11081@javifsp.no-ip.org>

> Please provide a demonstration attack that would force users into
> downloading, and wrongly checking, a malicious package. The only way that can
> happen is if a mirror is already compromised, and that's why whe have
> per-signature GPG releases for the archive [1].

Verification of signatures is unfortunately not available in woody or
sarge. Secondly, Debian mirrors have been hacked a couple of times,
haven't they? And besides, users can still be easily tricked into
believing the signatures on the mirror were wrong and can possibly be
tempted to use some alternative source provided by an attacker, etc.

> A proper fix would take the MD5sum from somewhere and not the user's
> submission [...].

Sounds like a good plan to me.

Stefan

Reply to:

References:
- download.pl lets arbitrary stuff through
  - From: "Bernhard R. Link" <brlink@debian.org>
- Re: download.pl lets arbitrary stuff through
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: download.pl lets arbitrary stuff through
  - From: Stefan Scheler <stefan@scheler.com>
- Re: download.pl lets arbitrary stuff through
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Re: download.pl lets arbitrary stuff through
Next by Date: Who's using Debian?
Previous by thread: Re: download.pl lets arbitrary stuff through
Next by thread: Bug#402631: Still gets data by arguments.
Index(es):
- Date
- Thread