Hello, Am Mittwoch, 13. Dezember 2006 10:33 schrieb Javier Fernández-Sanguino Peña: > In order for your md5sum "attack" to really work you have to crack > *all* mirrors or the user has a ~1/38 chance on stumbling on the > package that has been replaced by a cracker. Not a very good attack > IMHO.
Or the user would despair of 37 "broken" mirrors and be "happy" to finally find the "good" one ;-) > Anyway, we could be discussing about this for days. I agree that the > md5sum should not be taken verbatim from the user's input but, I > understand, that's something that is fixed in the next release of the > scripts. Good to know. BTW: The current state of only allowing [0-9a-f] doesn't really help because one can still inject wrong MD5SUMs. It just prevents some jokes. http://packages.debian.org/cgi-bin/download.pl?arch=all&file=pool%2Fmain%2Fi%2Fie%2Finternet-explorer_7.0-3_all.deb&md5sum=aaaaaaaaaaaaaaaaaaaaaaaaaa000000&arch=all&type=main still works (package name replaced to make the fake obvious - please have look at the MD5SUM). > If other's think this should be fixed *right*now* then I > think the only sensible option is to remove the md5sum information > from the download page altogether and put it in the packages page > with the autogenerated content in a cell next to "Installed size". Sounds like a very good idea. Please do this change. Christian Boltz -- URLs: absurd lange Worte die man nicht umbrechen darf [David Haller]
