On Tue, Dec 02, 2003 at 06:05:44PM +0100, Andreas Metzler wrote: > Joey Hess <joeyh@debian.org> wrote: > > Goswin von Brederlow wrote: > >> > dpkg that it is downgrading the package, and a clever attacker might > >> > avoid even that. > >> How would you avoid it? > > Make the replacement package really be a different package entirely, of > > a higher version than the package it purports to replace. > > I think aj had some more examples along these lines the last time this > > came up. > I still don't understand how you change the version number (or the > package-name) without breaking the signature. You change the contents of the compromised Packages file, so that Package: bash Essential: yes Priority: required Section: base Architecture: i386 Version: 2.05b-12 is accompanied by Filename: pool/main/b/bash/vulnerable-ident-server_1.0-1_i386.deb which contains a perfectly valid .deb file, signed by a DD, that has nothing whatsoever to do with bash. AFAIK, apt does not sanity check the relationship between package names and filenames (and it's not obvious that this should be part of its responsibilities), and dpkg only gets a list of .debs to install once they've been downloaded. -- Steve Langasek postmodern programmer
Attachment:
pgpI2kwP8PJXf.pgp
Description: PGP signature