bug#19479: Package manager vulnerable

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#19479: Package manager vulnerable

From:	Stefan Kangas
Subject:	bug#19479: Package manager vulnerable
Date:	Tue, 8 Sep 2020 01:10:53 -0700

Noam Postavsky <npostavs@gmail.com> writes:

> I think the idea is that if the attacker has the signing key and sends
> out a bad version of archive-contents, it will be revealed as soon as
> the victim gets a "good" version, since its previous-version hash won't
> match.

Yes, this is what I understood to be the case as well.

> Except that only works if the user can expect to get all versions of
> archive-contents, so maybe I've missed something.

Exactly my point.  So we can't rely on it to bail out if the hashes
don't match up, I think.

[Prev in Thread]

Current Thread

[Next in Thread]

bug#19479: Package manager vulnerable, Stefan Kangas, 2020/09/06
- bug#19479: Package manager vulnerable, Noam Postavsky, 2020/09/07
  - bug#19479: Package manager vulnerable, Stefan Kangas, 2020/09/07
- bug#19479: Package manager vulnerable, Stefan Kangas, 2020/09/07
  - bug#19479: Package manager vulnerable, Noam Postavsky, 2020/09/07
    - bug#19479: Package manager vulnerable, Stefan Kangas <=

Prev by Date: bug#39553: 28.0.50; ada mode was removed
Next by Date: bug#43270: 27.1; [PATCH] Enhance gnus-score-date to support scoring by article age
Previous by thread: bug#19479: Package manager vulnerable
Next by thread: bug#43251: 27.1; DBus signals error when GetManagedObjects received while waiting for dbus-call-method
Index(es):
- Date
- Thread