#include <hallo.h>
* Paul Hampson [Sun, Jun 05 2005, 12:09:17PM]:
> Package: apt-cacher
> Version: 0.9.4
> Severity: normal
>
> My cron.daily outputs:
>
> /etc/cron.daily/apt-cacher: Someone is cheating, bad filename found:
> physics.muni.cz_‾yeti_Ftp_enca_all_Packages.gz at
> /usr/share/apt-cacher/apt-cacher-cleanup.pl line 86.
>
> every night, due to the following site in my sources.list:
>
> deb http://192.168.0.1/apt-cacher/physics.muni.cz/~yeti/Ftp enca/all/
> deb http://192.168.0.1/apt-cacher/physics.muni.cz/~yeti/Ftp enca/$(ARCH)/
>
> This means the rest of apt-cacher-cleanup doesn't run, since the error
> is a 'die'.
You can delete that line. Previous versions did not have any
security/obscurity checks either.
> I'd suggest adding '~' to the list of allowable filenames, and making
I must admit, checking the validity of Packages/Sources by filename was
not the smartest idea I have ever had. To be honest, it is pure crap,
there a couple of ways for an attacker to work around that.
Unfortunately, there is AFAICS no good method to ensure that no user
poisons the cache with bad .gz/.bz2 files (on the one hand) and not
becoming to0 paranoid on the other hand (checking .gz files by checksums
and signatures, the whole chain) without creating limitations for users.
Regards,
Eduard.
--
Lord Refa: Why should I do as you say?
Ambassador Londo Mollari: Because I have asked you; because your sense of duty
to our people should override any personal ambition; and because I have
poisoned your drink.
-- Quotes from Babylon 5 --
