On Wed, 2012-02-08 at 07:57 +0000, Lars Wirzenius wrote: > On Tue, Feb 07, 2012 at 10:49:23PM +0000, Ben Hutchings wrote: > > But it's worse than this: even if dpkg decompresses before comparing, > > debsums won't (and mustn't, for backward compatibility). So it's > > potentially necessary to fix up the md5sums file for a package > > installed for multiple architectures, if it contains a file that was > > compressed differently. > > I'm uncomfortable with the idea of checking checksums only for > uncompressed data. Compressed files have headers, and at least for > some formats, it seems those headers can contain essentially > arbitrary data. This allows compressed files to be modified in > rather significant ways, without debsums noticing, if debsums > uncompresses before comparing. > > Further, uncompressors have the potential for security problems. > See https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-2624 for example. > In other words: debsums needs to decompress to verify that no > files have been tampered with, but doing so can invoke an attack. > Such an attack may be unlikely, but it would seem to be a better design > to not open up the possibility for it.
I wasn't suggesting debsums would do decompression. Ben. -- Ben Hutchings The generation of random numbers is too important to be left to chance. - Robert Coveyou
signature.asc
Description: This is a digitally signed message part