On Tue, Dec 02, 2003 at 02:02:19PM -0600, Steve Langasek wrote: > On Tue, Dec 02, 2003 at 06:05:44PM +0100, Andreas Metzler wrote: > > Joey Hess <email@example.com> wrote: > > > Goswin von Brederlow wrote: > > >> > dpkg that it is downgrading the package, and a clever attacker might > > >> > avoid even that. > > > >> How would you avoid it? > > > > Make the replacement package really be a different package entirely, of > > > a higher version than the package it purports to replace. > > > > I think aj had some more examples along these lines the last time this > > > came up. > > > I still don't understand how you change the version number (or the > > package-name) without breaking the signature. > > You change the contents of the compromised Packages file, so that > > Package: bash > Essential: yes > Priority: required > Section: base > Architecture: i386 > Version: 2.05b-12 > > is accompanied by > > Filename: pool/main/b/bash/vulnerable-ident-server_1.0-1_i386.deb that information is already embedded in the .deb. Try "dpkg --control foo.deb; cd DEBIAN; ls". apt should sanity-check whether that information matches the information it already has (from, e.g., the Packages file). If not, it should scream as loud as possible. -- Wouter Verhelst Debian GNU/Linux -- http://www.debian.org Nederlandstalige Linux-documentatie -- http://nl.linux.org "Stop breathing down my neck." "My breathing is merely a simulation." "So is my neck, stop it anyway!" -- Voyager's EMH versus the Prometheus' EMH, stardate 51462.
Description: Digital signature