[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Package management unsafe?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steinar H. Gunderson wrote:
>> http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
>> 
>> What are people's thoughts on this?
> 
> It's been known for quite a while. (I asked one of the guys publishing it,
> and he was fully aware of that, but felt it was still important to bring
> light to it.)

I'm the researcher that Steinar exchanged emails with. I just wanted to
clarify this a bit as I believe he misunderstood something I said the
other week. -- Sorry for any confusion, Steinar.

These types of attacks, replay attacks[1] and endless data attacks[2],
were well-known in general, but not with respect to APT or other package
managers being vulnerable to them. We by no means are claiming to have
discovered replay attacks, nor are we aware of previous widespread
disclosure that package managers are vulnerable to these attacks.

A big thank you to the various Debian security people who have helped
answer questions and verify information for us recently. I believe most
of the issues we disclosed are in discussion and will be addressed.

[1] http://en.wikipedia.org/wiki/Replay_attack
[2] http://insecure.org/stf/wietse_murphy.html

- --
Justin Samuel
https://www.cs.arizona.edu/~jsamuel/
gpg: 0xDDF1F3EE [66EF 84E2 F184 B140 712B 55A7 2B96 AB8F DDF1 F3EE]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIiUXsK5arj93x8+4RApbRAKCrdycZYMjKIVb8F1KLWh/mSoSL/wCgsVba
+TqRksohzfEUEUL9Tiy8wn0=
=Y0nc
-----END PGP SIGNATURE-----


Reply to: