[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: HTTPS enabled Debian Security repository

Henrique de Moraes Holschuh writes:
> On Fri, 27 Oct 2017, Hans-Christoph Steiner wrote:
>> This idea that GPG signatures on the index files is enough has been
>> totally disproven.  There was a bug in apt where Debian devices could be
>> exploited by feeding them crafted InRelease files:
>> 
>> https://www.debian.org/security/2016/dsa-3733
>
> This was the *one* bug of this sort in the entire lifetime of apt thus
> far, AFAIK.

No, there was also
   https://security-tracker.debian.org/tracker/CVE-2013-1051
which I found.  That one was fairly easy to exploit (concatenate
manipulated Release with wrong "-----BEGIN PGP SIGNATURE" markers and
correctly signed InRelease; gpg would verify the signature at the end,
but apt would use the unsigned, manipulated Release from the beginning)

Similar bugs were present in several other places in Debian's
infrastructure as well.

The one from 2016 is harder to exploit: I asked on #-apt back then and
the sample exploit had a 1/4 success change with a 1.3 GB InRelease file
on a memory starved i386 system).

>> If HTTPS was used, that would mean exploiting that would require
>
> One of the dozens of zero-days already found in the TLS stack we had to
> run like crazy to patch ?

That is still valid of course, though I'm not sure if GnuPG or TLS
libraries get wider testing...

Ansgar
Reply to: