Re: Recent updates

Hi!

• Felipe Figueiredo <philsf79@gmail.com> [080218 10:01]:

> > Well, a rogue hacker would need to be quite skilled to add some kind of
> > "bad" package.
> >
> > Let's assume he has created a bad package and got control over a mirror
> How about a simpler attack vector: compromise a devel account, and sneak in a
> patch to be automatically incorporated to a package. Is this feasible?
>
> I understand that this case would not reflect what the OP asked about, but
> still.

Yes, that would be an possible attack vector. But you would need to do more, than just brak into a devel account. Since package uploads of developers need to be signed with an pre-approved gpg-key, you would need to break into that, too (which I must confess is still possible).

However, while it would then be possible to upload packages to debians unstable branch directly (and therefore could possibly [but IMHO unlikely] even get a package into the testing branch), you still don't get a package into a stable (point) release, since your manipulated package needs to pass the review of our stable release managers.

Now keep in mind, that you in general can't get new upstream releases into a stable point release, and since the manipulated package has been uploaded before the manipulation, changing the source-code of the package won't work. So the only way you can get your manipulations in, is via the diff.gz of the source package. So it is more or less easy to review, what has been changed. Tools like "debdiff" to compare changes between packages make it even easier. So it is not impossible, but quite unlickely, that a manipulated package get's into a stable point release. (And you would still need to do some more to get your package in. E.G. a bug report of serious severity (or higher) which your package claims to fix, which of course will be tested; and all that while the Debian Developer whose account and gpg key you hacked isn't noticing anything.)

The next attack vector would be to get a manipulated package into Debian's unstable branch, and hope it will make it into a stable release. That would be complicate and unlikely, too, but I'm too lazy now to write it all down ;)

Yours sincerely,
  Alexander

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


application/pgp-signature attachment: Digital signature

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.debian.org Links debian-announce debian-apache debian-arm-changes debian-beowulf debian-boot debian-cd debian-cd-vendors debian-changes debian-changes-digest debian-isp debian-kde debian-laptop debian-mirrors-announce debian-news debian-security debian-security-announce debian-testing debian-user debian-user-digest Request more information about Pantek