-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Fri, 21 Mar 2003, Ville Herva wrote:
> On Thu, Mar 20, 2003 at 06:14:53PM -0500, you [Hank Leininger] wrote:
> >
> > Right, but if the uncompressed file is what's signed, then you must
> > waste either CPU uncompressing twice (once to verify, once to untar) or
> > waste disk (to store the uncompressed file, then verify, then untar).
>
> bzip2 -d < foo.tar.bz2 | tee >(md5sum) | tar xf
> or
> bzip2 -d < foo.tar.bz2 | tee >(gpg --verify foo.tar.bz2.sig) | tar xf
Yup, but (besides the tar tpyo you corrected later) this still isn't
safe.
1) gpg --verify won't be able to complete until it's seen all the unpacked
tar file.
2) During that time tar -xf - will be unpacking and writing.
3) If the signature is bad, too late you've already unpacked it:
-At best you need to blow away what you just unpacked.
-Worse, it may have just (over)written real files in pwd other than
the ones you think it should have.
-Worst, if the tarfile is maliciously crafted to exploit tar (..'ing
archive, symlink-following archive, or bad data which overflows
tar), who-knows-what damage is already done. This might sound
far-fetched, except that it already happens.
...But it sounds like the whole discussion is dead anyway. It would be
at least slightly less off-topic on security-audit, perhaps we should
move it there (http://lsap.org/mail.html). Or to alt.tinfoil.hat.
Hank Leininger <hlein@progressive-comp.com>
E407 AEF4 761E D39C D401 D4F4 22F8 EF11 861A A6F1
-----BEGIN PGP SIGNATURE-----
iD8DBQE+er6+IvjvEYYapvERAqVKAJ9Z2sJ6pcib2+la0NqKYCeanuZwHwCdHEwt
9dSMcChXaa2G9sihxav6t0M=
=aCPQ
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Mar 23 2003 - 22:00:34 EST