On Wed, 2012-02-08 at 07:57 +0000, Lars Wirzenius wrote:
> On Tue, Feb 07, 2012 at 10:49:23PM +0000, Ben Hutchings wrote:
> > But it's worse than this: even if dpkg decompresses before comparing,
> > debsums won't (and mustn't, for backward compatibility). So it's
> > potentially necessary to fix up the md5sums file for a package
> > installed for multiple architectures, if it contains a file that was
> > compressed differently.
>
> I'm uncomfortable with the idea of checking checksums only for
> uncompressed data. Compressed files have headers, and at least for
> some formats, it seems those headers can contain essentially
> arbitrary data. This allows compressed files to be modified in
> rather significant ways, without debsums noticing, if debsums
> uncompresses before comparing.
>
> Further, uncompressors have the potential for security problems.
> See https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2624 for example.
> In other words: debsums needs to decompress to verify that no
> files have been tampered with, but doing so can invoke an attack.
> Such an attack may be unlikely, but it would seem to be a better design
> to not open up the possibility for it.
I wasn't suggesting debsums would do decompression.
Ben.
--
Ben Hutchings
The generation of random numbers is too important to be left to chance.
- Robert Coveyou
Attachment:
signature.asc
Description: This is a digitally signed message part