[arch-general] Sébastien Luttringer and Tobias Powalowski

NicoHood archlinux at nicohood.de
Sun Jul 2 22:16:53 UTC 2017


On 07/03/2017 12:07 AM, Morten Linderud wrote:
> On Sun, Jul 02, 2017 at 11:55:35PM +0200, NicoHood wrote:
>> Yes the GPG signature of the tag commit is checked. However you can
>> attack the git metadata and set a tag to a different commit. If this
>> commit is signed, but at an older stage which is vulnearable, we have an
>> issue. Just one example. So we should always also secure the transport
>> layer.
>> https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias
>>
> 
> The sign includes the hash. You would essentially have to trick Lennart into replacing the tag to a different commit,
> and sign the tag. Creating a vulnerable but verified source for the PKGBUILD. At this point i think we have bigger
> problems then whatever the PKGBUILD is doing...
> 

Thats is exactly what I mean. If I understood right you can modify the
git metadata in a way that you can pull tag 1.2 but get 1.0. And tag 1.0
is gpg signed and all valid. This seems to work for me.

I've added sangy to this email, he is the author of this presentation
and should know best. sangy, can you please give us some more detailed
information if an attack could still compromise the systemd package with
a modified git source but still gpg signed commits?

~Nico

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170703/7adb4980/attachment.asc>


More information about the arch-general mailing list