Ansgar Burchardt: > Henrique de Moraes Holschuh writes: >> On Fri, 27 Oct 2017, Hans-Christoph Steiner wrote: >>> This idea that GPG signatures on the index files is enough has been >>> totally disproven. There was a bug in apt where Debian devices could be >>> exploited by feeding them crafted InRelease files: >>> >>> https://www.debian.org/security/2016/dsa-3733 >> >> This was the *one* bug of this sort in the entire lifetime of apt thus >> far, AFAIK. > > No, there was also > https://security-tracker.debian.org/tracker/CVE-2013-1051 > which I found. That one was fairly easy to exploit (concatenate > manipulated Release with wrong "-----BEGIN PGP SIGNATURE" markers and > correctly signed InRelease; gpg would verify the signature at the end, > but apt would use the unsigned, manipulated Release from the beginning) > > Similar bugs were present in several other places in Debian's > infrastructure as well. > > The one from 2016 is harder to exploit: I asked on #-apt back then and > the sample exploit had a 1/4 success change with a 1.3 GB InRelease file > on a memory starved i386 system).
That hit rate is enough to build malware around... >>> If HTTPS was used, that would mean exploiting that would require >> >> One of the dozens of zero-days already found in the TLS stack we had to >> run like crazy to patch ? > > That is still valid of course, though I'm not sure if GnuPG or TLS > libraries get wider testing... > > Ansgar > Don't get me wrong, I agree that HTTPS is very overcomplicated and terrible in a lot of ways. But the days of plain HTTP/TCP are over. All connections need to be moving towards encryption. Even with HTTPS' faults, we are better off using it than plain HTTP. .hc
