On Sunday 21 September 2014 21:13:50, Richard van den Berg wrote: > Package formats like apk and jar avoid this chicken and egg problem > by hashing the files inside a package, and storing those hashes in > a manifest file. Signatures only sign the manifest file. The > manifest itself and the signature files are not part of the > manifest, but are part of the package. So a package including it's > signature(s) is still a single file.
This is bad design and will inevitably lead to security issues (as has been demonstrated by Android and apk). One must check the signature first, and only if the signature matches, start parsing complex file formats. And yes, zip is complex enough to be a problem. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/6823138.NpYddIaakV@k
