the md5 thing

Like Gunnar I've been following this md5 isue over the past couple of days. Already I've been checking things like my backup software (duplicity uses sha1 so it's ok) and revision control system (svn uses md5 so I cannot safely keep these fun new files in svn; since I keep my mail in svn and my mail already includes examples of these files, that's difficult).

I'm glad that Debian has sha1sums in our Release files along with the md5sums. That means we only have one key md5sum in the chain between a file in the archive and the Release.gpg: The one in the Packages file. Unfortunatly, this does leave us vulnerable to some things.

At the moment if I wanted to exploit this stuff to harm Debian, the best I could do would be to upload a .deb with something like the "ice" from the paper appended to it. dpkg ignores trailing garbage in an ar file. This md5sum would go into the Packages files, and the sha1 of the Packages into the Release file, which is in turn gpg signed. Then I just have to hack a mirror and replace my deb with a new version that has "fire" at the end, plus perhaps a payload. The md5sum would be unchanged and the small number of users who use apt-secure would not notice the replacement.

But for this to be really useful some program in the package, or perhaps in a different package, would need to look for the deb in the local apt archive, check for "fire" at the end, and run the payload. Which is problimatic, becase that code would be subject to audit, and once someone noticed it or noticed the junk appended to the signed deb I uploaded, it would all be traced back to me and I could kis my developership goodbye and look forward to some time in court.

So doing this rather than just modifying the mirror arbitrarily and anonymously seems like a poor approach, unless I think I can hide things sufficiently well and want to attack the apt-secure users. There are so many easier scenarios until we get apt-secure deployed that this hardly matters, and adding sha1 sums to the Packages files should be fairly easy to do.