Re: Recent updates

To: debian-security@lists.debian.org
Subject: Re: Recent updates
From: Alexander Schmehl <tolimar@debian.org>
Date: Mon, 18 Feb 2008 13:23:42 +0100
Message-id: <[🔎] 20080218122342.GB2575@schmehl.info>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 200802180601.25349.philsf79@gmail.com>
References: <[🔎] 7ff145960802162146q2b5ba43eh65f8afc0d4a382c@mail.gmail.com> <[🔎] 7ff145960802171143k6e3eca35v19c21bc3a89c5fa4@mail.gmail.com> <[🔎] 20080217204816.GF22986@schmehl.info> <[🔎] 200802180601.25349.philsf79@gmail.com>

Hi!

* Felipe Figueiredo <philsf79@gmail.com> [080218 10:01]:

> > Well, a rogue hacker would need to be quite skilled to add some kind of
> > "bad" package.
> > 
> > Let's assume he has created a bad package and got control over a mirror
> How about a simpler attack vector: compromise a devel account, and sneak in a 
> patch to be automatically incorporated to a package. Is this feasible?
> 
> I understand that this case would not reflect what the OP asked about, but 
> still.

Yes, that would be an possible attack vector.  But you would need to do
more, than just brak into a devel account.  Since package uploads of
developers need to be signed with an pre-approved gpg-key, you would
need to break into that, too (which I must confess is still possible).

However, while it would then be possible to upload packages to debians
unstable branch directly (and therefore could possibly [but IMHO
unlikely] even get a package into the testing branch), you still don't
get a package into a stable (point) release, since your manipulated
package needs to pass the review of our stable release managers.

Now keep in mind, that you in general can't get new upstream releases
into a stable point release, and since the manipulated package has been
uploaded before the manipulation, changing the source-code of the
package won't work.  So the only way you can get your manipulations in,
is via the diff.gz of the source package.  So it is more or less easy to
review, what has been changed.  Tools like "debdiff" to compare changes
between packages make it even easier.  So it is not impossible, but
quite unlickely, that a manipulated package get's into a stable point
release. (And you would still need to do some more to get your package
in.  E.G. a bug report of serious severity (or higher) which your
package claims to fix, which of course will be tested; and all that
while the Debian Developer whose account and gpg key you hacked isn't
noticing anything.)


The next attack vector would be to get a manipulated package into
Debian's unstable branch, and hope it will make it into a stable
release.  That would be complicate and unlikely, too, but I'm too lazy
now to write it all down ;)



Yours sincerely,
  Alexander

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Recent updates
  - From: "Jim Popovitch" <yahoo@jimpop.com>
- Re: Recent updates
  - From: "Jim Popovitch" <yahoo@jimpop.com>
- Re: Recent updates
  - From: Alexander Schmehl <tolimar@debian.org>
- Re: Recent updates
  - From: Felipe Figueiredo <philsf79@gmail.com>

Prev by Date: Re: Recent updates
Next by Date: Re: DSA-1494-1 - Graphics errors
Previous by thread: Re: Recent updates
Next by thread: Re: Recent updates
Index(es):
- Date
- Thread