Re: Revival of the signed debs discussion
Steve Langasek <email@example.com> wrote:
> On Tue, Dec 02, 2003 at 06:05:44PM +0100, Andreas Metzler wrote:
>> Joey Hess <firstname.lastname@example.org> wrote:
>> > Goswin von Brederlow wrote:
>> >> > dpkg that it is downgrading the package, and a clever attacker might
>> >> > avoid even that.
>> >> How would you avoid it?
>> > Make the replacement package really be a different package entirely, of
>> > a higher version than the package it purports to replace.
>> > I think aj had some more examples along these lines the last time this
>> > came up.
>> I still don't understand how you change the version number (or the
>> package-name) without breaking the signature.
> You change the contents of the compromised Packages file, so that
> Package: bash
> Essential: yes
> Priority: required
> Section: base
> Architecture: i386
> Version: 2.05b-12
> is accompanied by
> Filename: pool/main/b/bash/vulnerable-ident-server_1.0-1_i386.deb
> which contains a perfectly valid .deb file, signed by a DD, that has
> nothing whatsoever to do with bash.
Thanks for the explanation.
> AFAIK, apt does not sanity check the relationship between package names
> and filenames (and it's not obvious that this should be part of its
Agreed, the filename should not matter, as it might be need to be
shortened due to filesystem limits.
> and dpkg only gets a list of .debs to install once
> they've been downloaded.
However all the necessary information to detect this would be
available, as 'dpkg --info vulnerable-ident-server_1.0-1_i386.deb | grep
^Package' is signature-protected and does not match 'Package: bash'.
Hey, da ist ein Ballonautomat auf der Toilette!
Unofficial _Debian-packages_ of latest unstable _tin_