On Tue, Jan 05, 2021 at 07:01:56PM +0000, Matthew Almond via devel wrote: > Signature *verification* partially works. Everything to do with > signatures on just the header works (and the header describes the > payload digest). There is one specific area which needs fixed: regular > RPMs are read, digested, and signature verified before decompression. > We need to guard against malicious compressed payloads that either > perform a DoS on space/time, or worse (but more difficult) could > exploit a bug in a decompression library. I am actively working on > this. I just want to say, this is IMHO critical to even consider such proposal. Signature verification should come before parsing whatever is under that signature, otherwise you risk exposing to attacks various processing code that previously assumed it is feed with trusted data only. This applies to decompression library, actual transcoding code and possibly much more. Even if _currently_ there are no known vulnerabilities in a particular part, it doesn't mean they won't be discovered later. The defence in depth is especially important for update system, you don't want to be in a situation where like "oh, we've found a bug in an update system, so you need to execute this very part that is vulnerable to get it fixed". -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
