[Gnu-arch-users] Possible get/signature verification vulnurability (race-condition)

[Karel Gardas]

Hello,

I'm using tla1.2 and during some recent work where I have got MICO's main
archive (now signed) from mico.org to my local host I have noticed this
behaviour:

0) command issued is: tla get address@hidden/mico--main--2.3

1) at the first, archive is traversed and all signatures are verified --
this results in many ``gpg: Signature made...\ngpg: Good signature
from...'' messages

2) after (1), tla found my base-0 revision, downloaded it and unpacked,
i.e. message ``* from import revision: address@hidden/mico--main--2.3--base-0''
is printed.

3) after (2) it normally continues with downloading and applying patches,
messages:
``* patching for revision: address@hidden/mico--main--2.3--patch-1
* patching for revision: address@hidden/mico--main--2.3--patch-2
* patching for revision: address@hidden/mico--main--2.3--patch-3
* patching for revision: address@hidden/mico--main--2.3--patch-4
* patching for revision: address@hidden/mico--main--2.3--patch-5
* patching for revision: address@hidden/mico--main--2.3--patch-6
.............''
are printed.

The problem is: when attacker modifies patch file in archive between the
time when patch file is verified and time it is actually downloaded, it
will succeed and I will end with "corrupted" source tree.
I would like to ask if my analysis of tla behaviour is correct, since I
have just guessed it from the output and from wathing network graph
monitor, but haven't looked into the sources for a proof of it.

Thanks,

Karel
--
Karel Gardas                  address@hidden
ObjectSecurity Ltd.           http://www.objectsecurity.com