[arch-general] Sébastien Luttringer and Tobias Powalowski

Ismael Bouya ismael.bouya at normalesup.org
Sun Jul 2 23:34:38 UTC 2017


(Sun, Jul 02, 2017 at 07:22:23PM -0400) Eli Schwartz via arch-general :
> Okay, this I am genuinely curious about.
> 
> In what circumstances can I have:
> - the systemd repository cloned over the git:// protocol
> - an annotated tag for systemd v233 signed by Lennart Poettering.
> - an annotated tag for systemd v232 signed by Lennart Poettering.
> - a man in the middle attack
> - `git verify-tag --raw v233` reports a GOODSIG with a VALIDSIG
>   ${fingerprint} that matches with Lennart's known GPG fingerprint as
>   recorded in validpgpkeys
> 
> And as a result, when I run the git command `git checkout
> refs/tags/v233`, I am tricked into getting v232 instead which contains a
> vulnerability.

Until there, it's exactly the topic of the presentation linked by
Nicohood

> Also, I wouldn't be alerted by the verbose printing of
> the systemd version which happens during the boot process, nor by
> $systemd_binary --version

Then you rely only on that last two things

-- 
Ismael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170703/925161fa/attachment.asc>


More information about the arch-general mailing list