There should be a way to verify the payload before trying to uncompress, and
more importantly, unpack it:
- We have digests on the contents of individual files, but detecting corruption
in middle of installation, after all sorts of scripts might have already run,
is no good at all
- Compresssion libraries have vulnerabilities of their own
- The RPMv3 digest covering the payload is the obsolete MD5, and furthermore it
covers the header and the payload, but we want a digest on the payload only.
This way it can be included in the main header which in turn can be signed, so
the digest is protected.
The main obstacle is that the payload comes after the header during build, so
it's necessary to calculate a placeholder header and rewrite with the actual
digest value after writing down the payload, much like is done with signature
header currently. The digest algorithm should be configurable, but default to
something relatively strong, SHA256 perhaps.
It has also been suggested that this should be implemented as multiple
intermediate digest "snapshots" to avoid having to check everything at once and
to allow early exit on corrupted content. It would no doubt be beneficial, the
challenge is finding a rasonable tradeoff between header size and the snapshot
frequency, considering the payload can be anything from a few kilobytes to tens
of gigabytes.
Verification of the data is another story with its own set of problems, but
lets not go there yet.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/163
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
