Bug#491374: marked as done (Package managers vulnerable to replay and endless data attacks)

To: Julian Andres Klode <jak@debian.org>
Subject: Bug#491374: marked as done (Package managers vulnerable to replay and endless data attacks)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 13 Apr 2011 10:36:16 +0000
Message-id: <[🔎] handler.491374.D491374.13026907988159.ackdone@bugs.debian.org>
References: <20110413123142.GA12022@debian.org> <60e301c40807181702n2ac4b550p25c64de11c8710@mail.gmail.com>

Your message dated Wed, 13 Apr 2011 12:32:58 +0200
with message-id <20110413123142.GA12022@debian.org>
and subject line Re: Bug#491374: Package managers vulnerable to replay and endless data attacks
has caused the Debian Bug report #491374,
regarding Package managers vulnerable to replay and endless data attacks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
491374: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=491374
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: Package managers vulnerable to replay and endless data attacks
From: "Justin Cappos" <justinc@cs.washington.edu>
Date: Fri, 18 Jul 2008 17:02:32 -0700
Message-id: <60e301c40807181702n2ac4b550p25c64de11c8710@mail.gmail.com>

Package: Apt, Aptitude, Synaptic
Version: all

Cross-posting from:
https://bugs.launchpad.net/ubuntu/+source/synaptic/+bug/247445

apt and possibly other Debian package managers capable of downloading
packages are vulnerable to two kinds of attacks.

1. Replay attack, where an attacker, by operating a malicious mirror
or by spoofing the address of a valid mirror, serves correctly signed
but outdated packages lists. As new vulnerabilities are discovered and
patched, the users who are using the malicious mirror won't be
receiving any updates and will continue running vulnerable software.
See http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html

2. Endless data attack, where an attacker serves very long files to a
package manager that uses his malicious mirror. That might prevent the
package manager from ever completing, leading to the same problem as
described above. It might also consume all disk space preventing
logging, mail delivery and other system services from running
properly.
See http://www.cs.arizona.edu/people/justin/packagemanagersecurity/otherattacks.html#endlessdata

There is also an entry on Ubuntu and Debian in the FAQ at
http://www.cs.arizona.edu/people/justin/packagemanagersecurity/faq.html


See also this post in the CERT vulnerability analysis blog:
http://www.cert.org/blogs/vuls/2008/07/using_package_managers.html
They have assigned a vulnerability number to this issue (VU#230187)
but it doesn't seem to be public yet.

--- End Message ---

--- Begin Message ---

To: Justin Cappos <justinc@cs.washington.edu>, 491374-close@bugs.debian.org
Subject: Re: Bug#491374: Package managers vulnerable to replay and endless data attacks
From: Julian Andres Klode <jak@debian.org>
Date: Wed, 13 Apr 2011 12:32:58 +0200
Message-id: <20110413123142.GA12022@debian.org>
In-reply-to: <60e301c40807181702n2ac4b550p25c64de11c8710@mail.gmail.com>
References: <60e301c40807181702n2ac4b550p25c64de11c8710@mail.gmail.com>

On Fri, Jul 18, 2008 at 05:02:32PM -0700, Justin Cappos wrote:
> Package: Apt, Aptitude, Synaptic
> Version: all
> 
> Cross-posting from:
> https://bugs.launchpad.net/ubuntu/+source/synaptic/+bug/247445
> 
> apt and possibly other Debian package managers capable of downloading
> packages are vulnerable to two kinds of attacks.
> 
> 1. Replay attack, where an attacker, by operating a malicious mirror
> or by spoofing the address of a valid mirror, serves correctly signed
> but outdated packages lists. As new vulnerabilities are discovered and
> patched, the users who are using the malicious mirror won't be
> receiving any updates and will continue running vulnerable software.
> See http://www.cs.arizona.edu/people/justin/packagemanagersecurity/attacks-on-package-managers.html
Release files can expire now.
 
> 2. Endless data attack, where an attacker serves very long files to a
> package manager that uses his malicious mirror. That might prevent the
> package manager from ever completing, leading to the same problem as
> described above. It might also consume all disk space preventing
> logging, mail delivery and other system services from running
> properly.
> See http://www.cs.arizona.edu/people/justin/packagemanagersecurity/otherattacks.html#endlessdata
Long is relative, and setting some random limits is not really useful. A
full disk is not a problem either. 

-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

Attachment: pgpwJM10IwqL0.pgp
Description: PGP signature

--- End Message ---

Reply to:

Prev by Date: Re: pu: package apt/0.8.10.3+squeeze1
Next by Date: Bug#93453: marked as done ([libapt-pkg] apt-get segfaults on corrupt /var/cache/apt/*.bin)
Previous by thread: Bug#621720: if I attempt to remove apache2.2-common apt wants to install apache2-mpm-prefork
Next by thread: Bug#93453: marked as done ([libapt-pkg] apt-get segfaults on corrupt /var/cache/apt/*.bin)
Index(es):
- Date
- Thread