[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: holes in secure apt

On Mon, Jun 16, 2014 at 12:04:51PM +0200, Thorsten Glaser wrote:
> On Thu, 12 Jun 2014, David Kalnischkies wrote:
> > For your attack to be (always) successful, you need a full-sources
> > mirror on which you modify all tarballs, so that you can build a valid
> > Sources file. You can't just build your attack tarball on demand as the
> Erm, no? You can just cache a working Sources file and exchange
> the paragraph you are interested in. That’s something that would
> be easy in a CGI written in shell, *and* perform well. Trivial.

The "always" refers to the small problem that a MITM isn't in control of
what source package is acquired by the user later on. Modifying the
Source file is of course trivial, the hard part is making the
modification count given that at the time the request for the Sources
file is made you have no idea what (if any) source package the user will
request in 10 seconds/days following this 'apt-get update' (or
equivalent) – if the user isn't on to you given that you have thrown
away the signatures for binary packages, too, so that he can't even get
his build-dependencies without saying yes to a (default: no) warning.

From a theoretical standpoint, this is of course all negligible, but in
practice it's so annoying/fragile that way better alternatives exist.
(Me messing up InRelease parsing [twice] for example with ironically far
less coverage - its all about catchy titles I guess)

Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature

Reply to: