Re: Apt-get is insecure

To: debian-security@lists.debian.org
Subject: Re: Apt-get is insecure
From: Jor-el <jorel@trillian.megadodo.umb>
Date: Thu, 13 Dec 2001 18:05:29 -0600 (CST)
Message-id: <[🔎] Pine.LNX.3.96.1011213175841.23865A-100000@trillian>
Reply-to: jorel@austin.rr.com
In-reply-to: <[🔎] 20011213162430.GB14968@wiggy.net>

On Thu, 13 Dec 2001, Wichert Akkerman wrote:

> 
> There is a seperate plan for verifying signatures using apt. From
> memory this goes as follows:
> 
> * deb packages are installed in the archive
> * the MD5 checksum for each package is listed in the Packages file
> * the MD5 checksum for each Packages file for a release is listed in
>   the Release file
> * the archive creates a signature for the Release file that apt can
>   verify
> 
Hi,

	Forgive me if my question is rather naive. I have the following
scenario and am curious to know whethere this has already been addressed :

1.  Mr. Cracker sets up a mirror and claims it is a mirror for Debian
distros.
2.  Mr. Cracker recompiles trojaned packages and recomputes the MD5
checksums for them. These trojaned .debs are placed on the mirror.

	How would a person getting .debs from this mirror be able to
protect him/herself from such a situation? Would they have to exclusively
get .debs from the Debian site itself?

	Note that if the packages are PGP / GPG signed, the problem is
only a little less acute. Mr. Cracker could sign the package with his /
her key. How would a user know that Mr. Cracker is not infact the
maintainer?

Regards,
Jor-el

Reply to:

Follow-Ups:
- Re: Apt-get is insecure
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- Re: Apt-get is insecure
  - From: Wichert Akkerman <wichert@wiggy.net>

Prev by Date: Re: Following security issues found upstream
Next by Date: RE: Apt-get is insecure
Previous by thread: Re: Apt-get is insecure
Next by thread: Re: Apt-get is insecure
Index(es):
- Date
- Thread