[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: leaks in our only-signed-software fortress

Am 18.02.2012 13:32, schrieb Jakub Wilk:
I'll add to the list:
- Packages that download and run untrusted code at build time.
May I add a similar case...
Take the non-free flash as example... (yeah I know it's non-free and not officially sec-supported).. Even if it would use some SHA512 sums (hardcoded into the package) to verify the download (I don't know whether it does),.. the update mechanism is still outsite of the package management system (on has to call update-flash or something like that)... so you bypass the whole central point of update management.

FWIW, the Contents files _are_ signed, but AFAICS apt-file doesn't
verify the signature.
See #515942.

But why is that a big deal?
What do you mean? Of not verifying it? Well as always someone can attack you if you somehow (for whatever reason) rely on the information being correct. Moreover, if there is some automatic parsing of those files, you can also easily think of attack vectors by manipulating files,..

Could you point us to those which were ignored or denied?
Phew... would have to do a lot of digging in my mails and bug reports to find them out again.


Reply to: