On Mon, Dec 11, 2006 at 09:42:35PM +0100, Stefan Scheler wrote: > > Fixed and uploaded, see #402631. > > Erm, do you this is a good fix? You're only checking the length!
Please provide a demonstration attack that would force users into downloading, and wrongly checking, a malicious package. The only way that can happen is if a mirror is already compromised, and that's why whe have per-signature GPG releases for the archive [1]. A proper fix would take the MD5sum from somewhere and not the user's submission and that's acknowledged in the CVS logs. For the time being, the fix is suficcient, and can wait until the new version of packages.debian.org is up (no idea when, I'm not a developer of that part of the site) which already does this. Regards Javier [1] http://www.debian.org/doc/manuals/securing-debian-howto/ch7.en.html#s-deb-pack-sign
signature.asc
Description: Digital signature
