[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please test gzip -9n - related to dpkg with multiarch support

On Tue, Feb 07, 2012 at 10:49:23PM +0000, Ben Hutchings wrote:
> But it's worse than this: even if dpkg decompresses before comparing,
> debsums won't (and mustn't, for backward compatibility).  So it's
> potentially necessary to fix up the md5sums file for a package
> installed for multiple architectures, if it contains a file that was
> compressed differently.

I'm uncomfortable with the idea of checking checksums only for
uncompressed data. Compressed files have headers, and at least for
some formats, it seems those headers can contain essentially 
arbitrary data. This allows compressed files to be modified in
rather significant ways, without debsums noticing, if debsums
uncompresses before comparing.

Further, uncompressors have the potential for security problems.
See https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2624 for example.
In other words: debsums needs to decompress to verify that no
files have been tampered with, but doing so can invoke an attack.
Such an attack may be unlikely, but it would seem to be a better design
to not open up the possibility for it.


Attachment: signature.asc
Description: Digital signature

Reply to: