vsftpd in the news

[Misha Shnurapet]

06.07.2011, 16:07, "Michael Schwendt" <mschwendt at gmail.com>:
> And for a sufficiently large tarball of a project with N>1 devs, has the
> signer been able to actually verify all source code changes prior to
> signing the tarball? Or is the signature only used to flag a package as
> coming from a trusted project developer without any additional guarantees?
> A tarball sig is just one layer of safety, but no ultimate protection.

>>>  The uploaded tarball checksum enters the "sources" file in git, and any
>>>  tarball downloaded from the lookaside cache MUST match that checksum.
>>>  Else it wouldn't be downloaded and used. Source RPM build in koji would
>>>  fail.
>>  This is just a checksum against the tarball that enters the lookaside
>>  cache. Yes, I know about this. A malicious package could have been
>>  uploaded to the lookaside cache, however. This leads to demanding
>>  everyone have signatures available, but what do you do about SVN/Git
>>  checkouts or projects that don't wish to provide signatures?
>
> Obviously, one needs to be very careful, skim over diffs, monitor commits
> regularly, archive snapshots regularly, be familiar with upstream release
> habits. Upstream also needs to do that, to avoid that a compromised account
> from a committer is used to infiltrate the project. If a source code repository
> is modified without permission and no developer (or release manager) notices it,
> would the person adding the tarball sig notice it?

The developer of vsftpd didn't notice the change, but still there was early prevention possible.

The issue is *one* of the ways source code can be exploited, and checking the gpg signatures for the projects that allow it is a measure against the particular kind of attack. Literally, it would close one vulnerability in the distro. Which is enough.

--
Best regards,
Misha Shnurapet, Fedora Project Contributor
Email: shnurapet AT fedoraproject.org, IRC: misha on freenode
https://fedoraproject.org/wiki/shnurapet, GPG: 00217306