GNU bug report logs - #19479
Package manager vulnerable

Previous Next

Package: emacs;

Reported by: Kelly Dean <kelly <at> prtime.org>

Date: Thu, 1 Jan 2015 12:40:02 UTC

Severity: important

Tags: security

Full log

Message #146 received at 19479 <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefan <at> marxist.se>
To: Noam Postavsky <npostavs <at> gmail.com>
Cc: 19479 <at> debbugs.gnu.org
Subject: Re: bug#19479: Package manager vulnerable
Date: Tue, 8 Sep 2020 01:10:53 -0700

Noam Postavsky <npostavs <at> gmail.com> writes:

> I think the idea is that if the attacker has the signing key and sends
> out a bad version of archive-contents, it will be revealed as soon as
> the victim gets a "good" version, since its previous-version hash won't
> match.

Yes, this is what I understood to be the case as well.

> Except that only works if the user can expect to get all versions of
> archive-contents, so maybe I've missed something.

Exactly my point.  So we can't rely on it to bail out if the hashes
don't match up, I think.
This bug report was last modified 4 years and 203 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.