Package: obnam Version: 1.6.1-1 Severity: important Tags: security Here's a feasible attack on obnam due to its use of md5.
1. Generate a a binary that is modified to contain a md5 colliding section. (Trivial.) 2. Find ways to upload files to lots of Debian systems that I want to attack later. This can be as simple as sending an email to a mailing list[1]. Or could as tricky as posting a comment to a blog that's full of binary spam. Use these methods to get the evil version of my binary onto the system's disk, it doesn't matter where on disk it's put. (Trivial.) 3. Some of those systems will be backed up with obnam. If the alignment gods are smiling (or if obnam uses rolling checksums?), the data I sent will start at the start of a block, so the colliding md5 will be used by obnam. (Requires luck, but it's easy to cast a wide net in step 2.) 4. Become Debian maintainer, ideally using a throwaway account or the old transnational republic ID card. Upload a Debian package containing the good version of my binary. (Trivial.) 6. Systems will back that up with obnam. Except, it has the same md5, so they'll reuse the data from the evil version that was previously backed up in step 3. 7. Wait for the backups to be restored, and game over. Due to this attack, I would much, much prefer obnam to use a hash that has good collision resistence. I suggest SHA-2 (possibly the 512 version as that's supposed to be faster on 64 bit), or possibly Skein. MD5 is the worst possible choice, and SHA-1 is not a wise choice. I would also recommend parametizing the hash used by obnam, so that if whatever hash you choose gets broken later, it can easily switch to its replacement. Workarounds: use --deduplicate=never (wastes disk space) or --deduplicate=verify (expensive over a network) or avoid restoring (at least) distribution provided files from obnam backups or use something like tripwire to layer better checksums on top, and verify that a restore restored the right versions of files before using it or separate different file sources (system, web, email etc) into separate obnam repositories -- see shy jo [1] Such as this one?! Eeek. Better check the headers for anything suspicious..
signature.asc
Description: Digital signature