[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sofftware outside Debian (Re: holes in secure apt)

Hey Holger,

On Wed, 2014-06-18 at 12:46 +0200, Holger Levsen wrote: 
> > It also doesn't seem to protect against downgrading attacks... (see my
> > previous post about that).
> one or two bug reports might be oh so more useful than posting on -devel.
I will submit tickets for the ones I know (as soon as I find some
time)... but that's just the reason why we have such security issues as
I was talking about:
There is no concentrated approach to fix these things.

You say... "if you find such an issue,... report a bug" ... at best this
means something between "the maintainer agrees and just fixes it" and "a
lengthy discussion where the maintainer say oh not this is absolutely
security overkill why should I do it"
And even if it's fixed in the end, it's only fixed for that package, and
I don't know all >40k packages of Debian by hard and cannot report a
ticket for all packages where it could be an issue. And even if, two
weeks later we'll have another package which does the same.

That's why I've said already before, that it's more or less useless if
we approach one or all of the issues that were now mentioned in this
thread by just some concrete coding work

> and then for each update you need to update the launcher package - thats an 
> aweful lot of work for little / no gain
You have a disturbing view on security apparently... o.O
If it's "little /no gain", that an attacker e.g. in your university
network or WiFi can't fool you into installing old e.g. flash-plugin,
which can be easily used for at least a normal user exploit (which then
usually means root exploit as well).... then I don't know...

> (and how do you handle downgrade 
> attacks here?)
As mentioned previously:
When the maintainer of such packages keeps his head up and looks for new
versions/updates, he'll make a new package with the new hardcoded
hash... this prevents a downgrade attack, since an attacker cannot
present you anymore an old version which would still verify.


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to: