[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: rpmlib app security



On Fri, Jun 27, 2003 at 12:32:24PM -0700, Star Morin wrote:
> yes, indeed it is the packages that i worry about. again, i mostly
> worried about the reliability of the package signature verification.  
> 

You're worried about the wrong thing.

DSA works fine if/when it's used.

    No pubkey installed		== no signature can be verified

    No header-only signature	== headers from rpmdb are not checked

There is also incomplete enforcement of "stop right now" when DSA fails
to verify for random packages sucked into a setuid application that links
rpmlib.

It's the cracks, not the algorithm, that are going to get you every time.

73 de Jeff

-- 
Jeff Johnson	ARS N3NPQ
jbj@redhat.com (jbj@jbj.org)
Chapel Hill, NC




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []