[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ADV: Re: code injection in packages.debian.org

On Fri, Dec 15, 2006 at 06:34:37PM +0100, Christian Boltz wrote:
> Am Mittwoch, 13. Dezember 2006 10:33 schrieb Javier Fernández-Sanguino 
> Peña:
> > In order for your md5sum "attack" to really work you have to crack
> > *all* mirrors or the user has a ~1/38 chance on stumbling on the
> > package that has been replaced by a cracker. Not a very good attack
> > IMHO.
> Or the user would despair of 37 "broken" mirrors and be "happy" to 
> finally find the "good" one ;-)

I guess if really values the md5sum so much, he will probably not fall
for a false link in the first place ;)

> > Anyway, we could be discussing about this for days. I agree that the
> > md5sum should not be taken verbatim from the user's input but, I
> > understand, that's something that is fixed in the next release of the
> > scripts. 
> BTW: The current state of only allowing [0-9a-f] doesn't really help 
> because one can still inject wrong MD5SUMs. It just prevents some 
> jokes.


> > If other's think this should be fixed *right*now* then I 
> > think the only sensible option is to remove the md5sum information
> > from the download page altogether and put it in the packages page
> > with the autogenerated content in a cell next to "Installed size".
> Sounds like a very good idea. Please do this change.

We should probably use the sha256sum instead, because we have that too
Anyway, I will happily accept any patches to do just that. Otherwise
it will probably have to wait until after christmas (I guess a few days
don't hurt since the problem is now at least four years old according
to the CVS log).

Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/

Reply to: