[arch-general] Sébastien Luttringer and Tobias Powalowski

Eli Schwartz eschwartz93 at gmail.com
Sun Jul 2 23:22:23 UTC 2017 

On 07/02/2017 07:01 PM, Ismael Bouya wrote:
> (Mon, Jul 03, 2017 at 12:29:44AM +0200) Morten Linderud :
>> But HTTPS doesnt matter here. We have a trusted signer inn the PKGBUILD, anyone can MITM for the good of their life.
>> Unless they can fake the signature (Hint; they cant), or trick Lennart into signing something he shouldnt (Hint; he
>> wont), we don't have a case here. It doesn't really matter if its HTTP or HTTPS.
>>
>> You also didn't really reply about the threat model.
> 
> If I understand correctly what Nicohood meant,
> what could happen is that version X of systemd (or anything else) has a
> well known vulnerability, fixed in X+1. X+1 is packaged, so anyone
> up to date thinks "good I'm safe now". But since a man in the middle can
> force to download version X (signed by the systemd maintainer so
> considered "secure"), he can force you to download that version when you
> create the package and you'll think you have the safe version while
> having the unsafe one.

Okay, this I am genuinely curious about.

In what circumstances can I have:
- the systemd repository cloned over the git:// protocol
- an annotated tag for systemd v233 signed by Lennart Poettering.
- an annotated tag for systemd v232 signed by Lennart Poettering.
- a man in the middle attack
- `git verify-tag --raw v233` reports a GOODSIG with a VALIDSIG
  ${fingerprint} that matches with Lennart's known GPG fingerprint as
  recorded in validpgpkeys

And as a result, when I run the git command `git checkout
refs/tags/v233`, I am tricked into getting v232 instead which contains a
vulnerability. Also, I wouldn't be alerted by the verbose printing of
the systemd version which happens during the boot process, nor by
$systemd_binary --version

...

Because I don't think git works that way, but I am willing to be proven
wrong. Also I bet the git developers would be fascinated to hear the
details, you might even get some sort of bounty for successfully hacking
git like that.

-- 
Eli Schwartz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170702/35940dcd/attachment.asc>

More information about the arch-general mailing list