Re: Revival of the signed debs discussion
Steve Langasek <vorlon@netexpress.net> wrote:
> On Tue, Dec 02, 2003 at 06:05:44PM +0100, Andreas Metzler wrote:
>> Joey Hess <joeyh@debian.org> wrote:
>> > Goswin von Brederlow wrote:
>> >> > dpkg that it is downgrading the package, and a clever attacker might
>> >> > avoid even that.
>> >> How would you avoid it?
>> > Make the replacement package really be a different package entirely, of
>> > a higher version than the package it purports to replace.
>> > I think aj had some more examples along these lines the last time this
>> > came up.
>> I still don't understand how you change the version number (or the
>> package-name) without breaking the signature.
> You change the contents of the compromised Packages file, so that
> Package: bash
> Essential: yes
> Priority: required
> Section: base
> Architecture: i386
> Version: 2.05b-12
> is accompanied by
> Filename: pool/main/b/bash/vulnerable-ident-server_1.0-1_i386.deb
> which contains a perfectly valid .deb file, signed by a DD, that has
> nothing whatsoever to do with bash.
Thanks for the explanation.
> AFAIK, apt does not sanity check the relationship between package names
> and filenames (and it's not obvious that this should be part of its
> responsibilities),
Agreed, the filename should not matter, as it might be need to be
shortened due to filesystem limits.
> and dpkg only gets a list of .debs to install once
> they've been downloaded.
I see.
However all the necessary information to detect this would be
available, as 'dpkg --info vulnerable-ident-server_1.0-1_i386.deb | grep
^Package' is signature-protected and does not match 'Package: bash'.
cu andreas
--
Hey, da ist ein Ballonautomat auf der Toilette!
Unofficial _Debian-packages_ of latest unstable _tin_
http://www.logic.univie.ac.at/~ametzler/debian/tin-snapshot/
Reply to: