Re: Adding support for LZIP to dpkg, using that instead of xz, archive wide

To: debian-devel@lists.debian.org
Subject: Re: Adding support for LZIP to dpkg, using that instead of xz, archive wide
From: Jakub Wilk <jwilk@debian.org>
Date: Thu, 6 Aug 2015 23:09:53 +0200
Message-id: <[🔎] 20150806210953.GA9011@jwilk.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20150806193109.GA17522@thaum.home.philkern.de>
References: <20150726191827.GA11938@zira.vinc17.org> <55B80082.6010506@gnu.org> <[🔎] 20150802183535.GA17569@ioooi.vinc17.net> <[🔎] 87mvy9msvh.fsf@hope.eyrie.org> <[🔎] 20150802204744.GB17569@ioooi.vinc17.net> <[🔎] 20150806193109.GA17522@thaum.home.philkern.de>

* Philipp Kern <pkern@debian.org>, 2015-08-06, 21:31:

The purpose of adding garbage could be to make a modified tarballmatch the signature.
Which is why we also supply the length.

I thought the idea was to create a smaller malicious tarball, thenappend "garbage" until the size and the hash match.


But let's go back to reality:

If the decompressor ignores trailing garbage, then it's slightly easierto perform chosen-prefix collision attack for tarballs[0]. You don'thave to worry about compressor's CRCs or where to hide collision blocksfrom the sight of an attentive code reviewer.



[0] https://lists.debian.org/20140913162408.GA6840@jwilk.net

--
Jakub Wilk

Reply to:

Follow-Ups:
- Re: Adding support for LZIP to dpkg, using that instead of xz, archive wide
  - From: Antonio Diaz Diaz <antonio@gnu.org>

References:
- Re: Re: Adding support for LZIP to dpkg, using that instead of xz, archive wide
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Adding support for LZIP to dpkg, using that instead of xz, archive wide
  - From: Russ Allbery <rra@debian.org>
- Re: Adding support for LZIP to dpkg, using that instead of xz, archive wide
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Adding support for LZIP to dpkg, using that instead of xz, archive wide
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Bug#794816: ITP: python-click-plugins -- Click extension to register external CLI commands (Python 2)
Next by Date: Work-needing packages report for Aug 7, 2015
Previous by thread: Re: Adding support for LZIP to dpkg, using that instead of xz, archive wide
Next by thread: Re: Adding support for LZIP to dpkg, using that instead of xz, archive wide
Index(es):
- Date
- Thread