Re: Revival of the signed debs discussion

[Andreas Metzler <ametzler@downhill.at.eu.org>]

Steve Langasek <vorlon@netexpress.net> wrote:
> On Tue, Dec 02, 2003 at 06:05:44PM +0100, Andreas Metzler wrote:
>> Joey Hess <joeyh@debian.org> wrote:
>> > Goswin von Brederlow wrote:
>> >> > dpkg that it is downgrading the package, and a clever attacker might
>> >> > avoid even that.

>> >> How would you avoid it?

>> > Make the replacement package really be a different package entirely, of
>> > a higher version than the package it purports to replace.

>> > I think aj had some more examples along these lines the last time this
>> > came up.

>> I still don't understand how you change the version number (or the
>> package-name) without breaking the signature.

> You change the contents of the compromised Packages file, so that 

> Package: bash
> Essential: yes
> Priority: required
> Section: base
> Architecture: i386
> Version: 2.05b-12

> is accompanied by

> Filename: pool/main/b/bash/vulnerable-ident-server_1.0-1_i386.deb

> which contains a perfectly valid .deb file, signed by a DD, that has
> nothing whatsoever to do with bash.

Thanks for the explanation.

> AFAIK, apt does not sanity check the relationship between package names
> and filenames (and it's not obvious that this should be part of its
> responsibilities),

Agreed, the filename should not matter, as it might be need to be
shortened due to filesystem limits.

> and dpkg only gets a list of .debs to install once
> they've been downloaded.

I see.

However all the necessary information to detect this would be
available, as 'dpkg --info vulnerable-ident-server_1.0-1_i386.deb | grep
^Package' is signature-protected and does not match 'Package: bash'.
                   cu andreas
-- 
Hey, da ist ein Ballonautomat auf der Toilette!
Unofficial _Debian-packages_ of latest unstable _tin_
http://www.logic.univie.ac.at/~ametzler/debian/tin-snapshot/