On 3 July 2017 at 01:22, Eli Schwartz via arch-general <arch-general@archlinux.org> wrote:
On 07/02/2017 07:01 PM, Ismael Bouya wrote:
(Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud :
But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD, anyone can MITM for the good of their life. Unless they can fake the signature (Hint; they cant), or trick Lennart into signing something he shouldnt (Hint; he wont), we don't have a case here. It doesn't really matter if its HTTP or HTTPS.
You also didn't really reply about the threat model.
If I understand correctly what Nicohood meant, what could happen is that version X of systemd (or anything else) has a well known vulnerability, fixed in X+1. X+1 is packaged, so anyone up to date thinks "good I'm safe now". But since a man in the middle can force to download version X (signed by the systemd maintainer so considered "secure"), he can force you to download that version when you create the package and you'll think you have the safe version while having the unsafe one.
Okay, this I am genuinely curious about.
In what circumstances can I have: - the systemd repository cloned over the git:// protocol - an annotated tag for systemd v233 signed by Lennart Poettering. - an annotated tag for systemd v232 signed by Lennart Poettering. - a man in the middle attack - `git verify-tag --raw v233` reports a GOODSIG with a VALIDSIG ${fingerprint} that matches with Lennart's known GPG fingerprint as recorded in validpgpkeys
And as a result, when I run the git command `git checkout refs/tags/v233`, I am tricked into getting v232 instead which contains a vulnerability. Also, I wouldn't be alerted by the verbose printing of the systemd version which happens during the boot process, nor by $systemd_binary --version
...
Because I don't think git works that way, but I am willing to be proven wrong. Also I bet the git developers would be fascinated to hear the details, you might even get some sort of bounty for successfully hacking git like that.
On the other hand, the systemd-stable repo doesn't have signed tags (or commits) and Arch is probably going to move to that since it has post-release fixes for regressions and bugs. -- damjan