[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: holes in secure apt

On Tue, 2014-06-17 at 10:48 +0200, David Kalnischkies wrote: 
> On Mon, Jun 16, 2014 at 12:04:51PM +0200, Thorsten Glaser wrote:
> > Erm, no? You can just cache a working Sources file and exchange
> > the paragraph you are interested in. That’s something that would
> > be easy in a CGI written in shell, *and* perform well. Trivial.
> The "always" refers to the small problem that a MITM isn't in control of
> what source package is acquired by the user later on. Modifying the
> Source file is of course trivial, the hard part is making the
> modification count given that at the time the request for the Sources
> file is made you have no idea what (if any) source package the user will
> request in 10 seconds/days following this 'apt-get update' (or
> equivalent) – if the user isn't on to you given that you have thrown
> away the signatures for binary packages, too, so that he can't even get
> his build-dependencies without saying yes to a (default: no) warning.

I don't quite understand why you think it's so difficult for an attacker
to provide a complete archive, where he has added some trojan or
whatever to more or less any source package?
And if he just looks for main() in any source package an hooks in a
little backdoor... or even if he just focuses on the most popular source

> From a theoretical standpoint, this is of course all negligible, but in
> practice it's so annoying/fragile that way better alternatives exist.

> (Me messing up InRelease parsing [twice] for example with ironically far
> less coverage - its all about catchy titles I guess)
Well I've noticed that but was to depressed to make noise ;-)

Anyway... the main question is from my side (at least regarding this
Was there any... do we need any... how could we do any  assessment about
the integrity of the Debian archive and build infrastructure... (i.e.
whether this or previous holes was actually used by someone)?

I mean all the NSA&friends scandal has clearly shown one thing:
There are many people/groups out there which really do want to break
into every system and which even go the most "annoying" ways to reach
their goal... being paranoid was actually always justified.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: