Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#39944 - [bind] root.hint fails checksum, useless use of signature
Attached to Project:
Community Packages
Opened by Roman Neuhauser (roman-neuhauser) - Friday, 18 April 2014, 16:46 GMT
Last edited by Sébastien Luttringer (seblu) - Thursday, 15 May 2014, 22:35 GMT
Opened by Roman Neuhauser (roman-neuhauser) - Friday, 18 April 2014, 16:46 GMT
Last edited by Sébastien Luttringer (seblu) - Thursday, 15 May 2014, 22:35 GMT
|
Details==> Making package: bind 9.9.5.W1-2 (Fri Apr 18 18:40:16 CEST 2014)
==> Checking runtime dependencies... ==> Checking buildtime dependencies... ==> Retrieving sources... -> Found bind-9.9.5-W1.tar.gz -> Found bind-9.9.5-W1.tar.gz.asc -> Found root.hint -> Found tmpfiles.d -> Found named.conf -> Found named.service -> Found named.logrotate -> Found localhost.zone -> Found 127.0.0.zone ==> Validating source files with sha1sums... bind-9.9.5-W1.tar.gz ... Passed bind-9.9.5-W1.tar.gz.asc ... Skipped root.hint ... FAILED tmpfiles.d ... Passed named.conf ... Passed named.service ... Passed named.logrotate ... Passed localhost.zone ... Passed 127.0.0.zone ... Passed ==> ERROR: One or more files did not pass the validity check! PKGFILE downloads both the tarball and the .asc file from the same *http* url, the .asc file has 'SKIP' for checksum, and is used to verify authenticity of the tarball. that's completely useless: if an attacker gains enough access to ftp.isc.org to plant a tarball, surely they can plant a signature as well. |
This task depends upon
Closed by Sébastien Luttringer (seblu)
Thursday, 15 May 2014, 22:35 GMT
Reason for closing: Not a bug
Thursday, 15 May 2014, 22:35 GMT
Reason for closing: Not a bug
Getting write access to ftp.isc.org, will not allows the attacker to sign the dirty tarball with the ISC key.