[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion

On Tue, Dec 02, 2003 at 02:02:19PM -0600, Steve Langasek wrote:
> You change the contents of the compromised Packages file, so that 
> Package: bash
> is accompanied by
> Filename: pool/main/b/bash/vulnerable-ident-server_1.0-1_i386.deb
> which contains a perfectly valid .deb file, signed by a DD, that has
> nothing whatsoever to do with bash.
> AFAIK, apt does not sanity check the relationship between package names
> and filenames (and it's not obvious that this should be part of its
> responsibilities), and dpkg only gets a list of .debs to install once
> they've been downloaded.

Problem is that apt runs:

	# dpkg -i vulnerable-ident-server_1.0-1_i386.deb
	# dpkg --configure bash

the latter will generally give you an error, and for remote exploits,
just unpacking the vulnerable software isn't enough. It's probably fine
for local exploits, but you'd have to be on your toes.

Getting apt to downgrade a package you've already got installed is more
straightforward; although "apt-get dist-upgrade; apt-get dist-upgrade"
will keep trying to download the same deb then.

Getting apt to upgrade a package you've already got installed to something
newer that's vulnerable isn't detectable, but will usually need a newer
libc6, which is a good warning sign.


Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. GPG signed mail preferred.

               Linux.conf.au 2004 -- Because we can.
           http://conf.linux.org.au/ -- Jan 12-17, 2004

Attachment: pgpDGXb7g5gGy.pgp
Description: PGP signature

Reply to: