With the phasing out of click packages this is no longer needed and the
bug can be closed.
** Changed in: debsig-verify (Ubuntu)
Status: Incomplete => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Seth Arnold wrote:
debsig-verify uses some library routines from dpkg; while I inspected
these calls and didn't see a problem, I must point out that dpkg was
only ever designed to handle packages that already passed the usual
hash-and-signatures check provided by apt and may not be suitable
@Seth: thanks for comment #4 about the 32bit issue with off_t - is there
any downside of simply using -D_FILE_OFFSET_BITS=64 to morph off_t
into a 64bit type?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Colin, you're right -- and I thought about that before hitting 'Post
Comment' -- but the world was different then, we still used telnet, rsh,
and ftp.
Installing a package in those days made an explicit decision to trust
that package with root shell privileges and allowed it to install setuid
or
Michael, I think your proposed -D_FILE_OFFSET_BITS=64 is sufficient and
probably more reliable than trying to prevent ar_size based int32
overflows or just stopping an infinite loop through other constraints.
Probably someone will want to package a data file larger than two
gigabytes anyway.
I reviewed debsig-verify version 0.10 as checked into utopic. This
shouldn't be considered a full security audit, but rather a quick gauge
of maintainability.
debsig-verify is awkward. Extensive use is made of global state and much
of the program logic depends upon side-effects to this global
Thanks Seth for your excellent review.
I addressed most of your points in https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=758615 that contains patches to improve the error
handling and to get rid of the global state. The tests in
http://bazaar.launchpad.net/~click-
findMember() on 32-bit platforms can also suffer an infinite loop and
probably worse outcomes. The off_t is a 32-bit value on 32-bit platforms
with a maximum value of 2147483647; the maximum value stored in the
ar_size member can be 99. This allows ample opportunities for
mischief, the
The CFLAGS from the Makefile are overriden during the build, see:
https://launchpadlibrarian.net/181033234/buildlog_ubuntu-utopic-amd64.debsig-verify_0.10_UPLOADING.txt.gz
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Description changed:
In order to check the signature of click package we want to use the
debsig-verify tool. Because clicks and debs are similar we can use
debsig-verify with a appropriate policy to do the verifications. This
MIR covers the tool itself, the policy will be put into a
Needs a team bug subscriber, but besides that looks good. The many
years without a maintainer are also troubling, but at least there's one
now.
Assigning to security team for a quick look to verify that the code can
be relied on.
** Changed in: debsig-verify (Ubuntu)
Status: New =
** Changed in: debsig-verify (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) = Seth Arnold
(seth-arnold)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1358272
Title:
[MIR]
12 matches
Mail list logo
