From: Jari Ruusu <jariruusu@users.sourceforge.net>
To: Greg KH <greg@kroah.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: kernel.org tarball/patch signature files
Date: Sun, 23 Oct 2011 17:07:51 +0300 [thread overview]
Message-ID: <4EA41FB7.CB5369CF@users.sourceforge.net> (raw)
In-Reply-To: 20111023113727.GA24285@kroah.com
Greg KH wrote:
> On Sun, Oct 23, 2011 at 02:17:20PM +0300, Jari Ruusu wrote:
> > Wrong order to verify compressed tarball/patch:
> >
> > (1) Feed potentially maliciously formatted data to decompressor, and exploit
> > any undiscovered/unpatched vulnerability in decompressor implementation.
> > (2) Verify decompressed output.
> >
> > Much better order would be:
> >
> > (1) Verify compressed data.
> > (2) Feed trusted data to decompressor.
> >
> > So, would it be possible to have multiple signature files like this? Please.
> >
> > patch-3.X.Y.bz2
> > patch-3.X.Y.bz2.sign
> > patch-3.X.Y.gz
> > patch-3.X.Y.gz.sign
> > patch-3.X.Y.xz
> > patch-3.X.Y.xz.sign
>
> Nope, sorry, let's try this way instead. That way we only have to
> generate one signature, not 3.
How about one signed message that contains multiple SHA256 sums or whatever?
sha256sum patch-3.X.Y.{bz2,gz,xz} | gpg --clearsign -a >patch-3.X.Y.sign
That allows verification before decompression.
> If you are really worried about decompressor bugs, then run them in a
> virtual machine/chroot :)
I am not amused.
Greg, please put your security hat on, and look at this from security point
of view. Decompression after verify removes/closes attacks utilizing yet
unidentified decompressor bugs or security flaws.
If I remember correctly, newer versions of OpenSSH disable compression
before authentication. They do that to pre-emptively close attacks resulting
yet unidentified bugs in decompression code.
--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
next prev parent reply other threads:[~2011-10-23 14:07 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-10-23 11:17 kernel.org tarball/patch signature files Jari Ruusu
2011-10-23 11:37 ` Greg KH
2011-10-23 14:07 ` Jari Ruusu [this message]
2011-10-25 1:49 ` Greg KH
2011-10-25 4:31 ` Kyle Moffett
2011-10-25 8:27 ` H. Peter Anvin
2011-10-25 9:13 ` Valdis.Kletnieks
2011-10-25 9:32 ` H. Peter Anvin
2011-10-25 6:06 ` Jari Ruusu
2011-10-25 7:09 ` Greg KH
2011-10-25 8:09 ` Jari Ruusu
2011-10-25 7:28 ` Valdis.Kletnieks
2011-10-25 7:34 ` Greg KH
2011-10-24 17:18 ` Valdis.Kletnieks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EA41FB7.CB5369CF@users.sourceforge.net \
--to=jariruusu@users.sourceforge.net \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).