There should be a way to verify the payload before trying to uncompress, and 
more importantly, unpack it:
- We have digests on the contents of individual files, but detecting corruption 
in middle of installation, after all sorts of scripts might have already run, 
is no good at all
- Compresssion libraries have vulnerabilities of their own
- The RPMv3 digest covering the payload is the obsolete MD5, and furthermore it 
covers the header and the payload, but we want a digest on the payload only. 
This way it can be included in the main header which in turn can be signed, so 
the digest is protected.

The main obstacle is that the payload comes after the header during build, so 
it's necessary to calculate a placeholder header and rewrite with the actual 
digest value after writing down the payload, much like is done with signature 
header currently. The digest algorithm should be configurable, but default to 
something relatively strong, SHA256 perhaps. 

It has also been suggested that this should be implemented as multiple 
intermediate digest "snapshots" to avoid having to check everything at once and 
to allow early exit on corrupted content. It would no doubt be beneficial, the 
challenge is finding a rasonable tradeoff between header size and the snapshot 
frequency, considering the payload can be anything from a few kilobytes to tens 
of gigabytes.


Verification of the data is another story with its own set of problems, but 
lets not go there yet.




-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/163
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint

Reply via email to