Steve Langasek <[EMAIL PROTECTED]> wrote: > On Tue, Dec 02, 2003 at 06:05:44PM +0100, Andreas Metzler wrote: >> Joey Hess <[EMAIL PROTECTED]> wrote: >> > Goswin von Brederlow wrote: >> >> > dpkg that it is downgrading the package, and a clever attacker might >> >> > avoid even that.
>> >> How would you avoid it? >> > Make the replacement package really be a different package entirely, of >> > a higher version than the package it purports to replace. >> > I think aj had some more examples along these lines the last time this >> > came up. >> I still don't understand how you change the version number (or the >> package-name) without breaking the signature. > You change the contents of the compromised Packages file, so that > Package: bash > Essential: yes > Priority: required > Section: base > Architecture: i386 > Version: 2.05b-12 > is accompanied by > Filename: pool/main/b/bash/vulnerable-ident-server_1.0-1_i386.deb > which contains a perfectly valid .deb file, signed by a DD, that has > nothing whatsoever to do with bash. Thanks for the explanation. > AFAIK, apt does not sanity check the relationship between package names > and filenames (and it's not obvious that this should be part of its > responsibilities), Agreed, the filename should not matter, as it might be need to be shortened due to filesystem limits. > and dpkg only gets a list of .debs to install once > they've been downloaded. I see. However all the necessary information to detect this would be available, as 'dpkg --info vulnerable-ident-server_1.0-1_i386.deb | grep ^Package' is signature-protected and does not match 'Package: bash'. cu andreas -- Hey, da ist ein Ballonautomat auf der Toilette! Unofficial _Debian-packages_ of latest unstable _tin_ http://www.logic.univie.ac.at/~ametzler/debian/tin-snapshot/