Re: ADV: Re: code injection in packages.debian.org
On Fri, Dec 15, 2006 at 06:34:37PM +0100, Christian Boltz wrote:
> Am Mittwoch, 13. Dezember 2006 10:33 schrieb Javier Fernández-Sanguino
> Peña:
> > In order for your md5sum "attack" to really work you have to crack
> > *all* mirrors or the user has a ~1/38 chance on stumbling on the
> > package that has been replaced by a cracker. Not a very good attack
> > IMHO.
>
> Or the user would despair of 37 "broken" mirrors and be "happy" to
> finally find the "good" one ;-)
I guess if really values the md5sum so much, he will probably not fall
for a false link in the first place ;)
> > Anyway, we could be discussing about this for days. I agree that the
> > md5sum should not be taken verbatim from the user's input but, I
> > understand, that's something that is fixed in the next release of the
> > scripts.
>
> BTW: The current state of only allowing [0-9a-f] doesn't really help
> because one can still inject wrong MD5SUMs. It just prevents some
> jokes.
Indeed.
> > If other's think this should be fixed *right*now* then I
> > think the only sensible option is to remove the md5sum information
> > from the download page altogether and put it in the packages page
> > with the autogenerated content in a cell next to "Installed size".
>
> Sounds like a very good idea. Please do this change.
We should probably use the sha256sum instead, because we have that too
nowadays...
Anyway, I will happily accept any patches to do just that. Otherwise
it will probably have to wait until after christmas (I guess a few days
don't hurt since the problem is now at least four years old according
to the CVS log).
Gruesse,
--
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/
Reply to: