[Pkg-gnupg-maint] Bug#704613: cdebootstrap: signature verification bypass with manipulated InRelease file

Ansgar Burchardt ansgar at debian.org
Thu Apr 4 07:35:29 UTC 2013


Control: unmerge -1
Control: reassign -1 cdebootstrap 0.5.9
Control: severity -1 grave

Bastian Blank <bastian at waldi.eu.org> writes:
> On Thu, Apr 04, 2013 at 12:24:26AM +0200, Bastian Blank wrote:
>> On Wed, Apr 03, 2013 at 04:58:05PM +0200, Ansgar Burchardt wrote:
>> > So one can prepend a InRelease file looking like
>> > ----
>> > -----BEGIN PGP SIGNED MESSAGE----- NOT
>> > Hash: SHA1
>> > 
>> > <insert malicious Release file contents here>
>> > 
>> > -----BEGIN PGP SIGNATURE----- NOT
>> > ----
>> 
>> This is a bug in gnupg, this is clearly no valid file clearsign message
>> anymore, see RFC 4880, section 7.
>
> I decided that this is no bug in cdebootstrap at all. cdebootstrap asks
> gnupg to verify the _file_:
> | gpgv pgpfile
> |       Verify the signature of the file.
>
> gpgv answers that the _file_ was verified. But actually only a _part_ of
> it was actually signed, so this answer is incorrect.

Even then cdebootstrap doesn't correctly extract data from the signed
part of the message. One can still "hide" fields by dash-escaping them.
In particular one might hide "Checksums-*" and cdebootstrap would only
use the weaker MD5 hash[1].

cdebootstrap should reverse dash-escaping, remove trailing whitespace
and normalize line endings. All these can be changed without breaking
the signature.

This might however be a less severe problem (depending how much more md5
is broken).

Ansgar

[1] From a quick look at src/check.c it might only use md5sum for binary
    packages anyway.



More information about the Pkg-gnupg-maint mailing list