Re: Compromising Debian Repositories
Daniel Sousa:
> On Sun, Aug 4, 2013 at 2:55 PM, Michael Stone <mstone@debian.org> wrote:
>
>> On Sun, Aug 04, 2013 at 10:12:40AM +0200, Heimo Stranner wrote:
>>
>>> I think the real issue is about if the malicious patch is not part of
>>> the source package
>>>
>>
>> Why? It certainly makes your argument simpler if you arbitrarily restrict
>> the problem set, but it isn't obvious that it makes sense. If I was going
>> to backdoor something, I'd just make an innocent-looking coding error that
>> would enable a successful exploit; I certainly wouldn't put in a commented
>> section of code that says "backdoor here". With sufficient effort it
>> wouldn't be hard to inject such a vulnerability that would go unnoticed for
>> years--and I'm not sure why that's less of an issue than someone making a
>> one-time build with a malicious patch that is not part of the source
>> package.
>
>
> First of all, they could apply that change (calling it a patch was not one
> of my greatest ideas) for every update they do, it's not necesserily a one
> time thing. It's also much easier (and probably much dangerous) to write
> some code that doesn't need to be cryptic, you can just write whatever you
> want instead of trying to find something that can pass as a mistake
> (although this seams a fun thing to do)
>
> Despite this, the most important reason is that I don't see anyway to
> prevent that from happening, but we can prevent this.
> It's not easy and
> will take a lot of work, but at least it is theoretically possible.
Defeating the the intentional non-obvious bug leading to vulnerability
thing? How to defeat it in theory? Please elaborate.
>
> I don't have any experience on this and I would not know where to start (I
> haven't even done a Debain package, ever), but if there's any workgroup or
> anyone working on this, I would like to help
>
Reply to: