Re: code injection in packages.debian.org
Hello,
Am Mittwoch, 13. Dezember 2006 10:33 schrieb Javier Fernández-Sanguino
Peña:
> In order for your md5sum "attack" to really work you have to crack
> *all* mirrors or the user has a ~1/38 chance on stumbling on the
> package that has been replaced by a cracker. Not a very good attack
> IMHO.
Or the user would despair of 37 "broken" mirrors and be "happy" to
finally find the "good" one ;-)
> Anyway, we could be discussing about this for days. I agree that the
> md5sum should not be taken verbatim from the user's input but, I
> understand, that's something that is fixed in the next release of the
> scripts.
Good to know.
BTW: The current state of only allowing [0-9a-f] doesn't really help
because one can still inject wrong MD5SUMs. It just prevents some
jokes.
http://packages.debian.org/cgi-bin/download.pl?arch=all&file=pool%2Fmain%2Fi%2Fie%2Finternet-explorer_7.0-3_all.deb&md5sum=aaaaaaaaaaaaaaaaaaaaaaaaaa000000&arch=all&type=main
still works (package name replaced to make the fake obvious - please
have look at the MD5SUM).
> If other's think this should be fixed *right*now* then I
> think the only sensible option is to remove the md5sum information
> from the download page altogether and put it in the packages page
> with the autogenerated content in a cell next to "Installed size".
Sounds like a very good idea. Please do this change.
Christian Boltz
--
URLs:
absurd lange Worte die man nicht umbrechen darf
[David Haller]
Reply to: