[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

On Tue, Dec 02, 2003 at 06:05:44PM +0100, Andreas Metzler wrote:
> Joey Hess <joeyh@debian.org> wrote:
> > Goswin von Brederlow wrote:
> >> > dpkg that it is downgrading the package, and a clever attacker might
> >> > avoid even that.

> >> How would you avoid it?

> > Make the replacement package really be a different package entirely, of
> > a higher version than the package it purports to replace.

> > I think aj had some more examples along these lines the last time this
> > came up.

> I still don't understand how you change the version number (or the
> package-name) without breaking the signature.

You change the contents of the compromised Packages file, so that 

Package: bash
Essential: yes
Priority: required
Section: base
Architecture: i386
Version: 2.05b-12

is accompanied by

Filename: pool/main/b/bash/vulnerable-ident-server_1.0-1_i386.deb

which contains a perfectly valid .deb file, signed by a DD, that has
nothing whatsoever to do with bash.

AFAIK, apt does not sanity check the relationship between package names
and filenames (and it's not obvious that this should be part of its
responsibilities), and dpkg only gets a list of .debs to install once
they've been downloaded.

Steve Langasek
postmodern programmer

Attachment: pgpjip9ymVK4k.pgp
Description: PGP signature

Reply to: