[CentOS-devel] why provide debuginfo

Pär Andersson paran at nsc.liu.se
Fri Apr 10 19:29:01 UTC 2009


Charlie Brady wrote:
> It's not obvious to me what the attack vector would be with unsigned 
> debuginfo packages...

1. Get people to download packages from you instead of the real 
debuginfo.centos.org by a MITM attack, DNS poisoning or whatever.

2. Send modified malicious packages instead of the real ones. Debuginfo 
packages are (AFAIK) ordinary RPM packages so they can contain evil 
binaries, install a rootkit in their post-install script or something 
like that.

/Pär


More information about the CentOS-devel mailing list