From: Richard Peters (r.a.peters_at_[hidden])
Date: 2004-12-21 07:05:18
----- Original Message -----
From: "Jonathan Wakely" <cow_at_[hidden]>
> On Tue, Dec 21, 2004 at 12:20:35AM -0600, Rene Rivera wrote:
> > Daryle Walker wrote:
> > >But standard archive formats are not executable in and of themselves.
> > As I mentioned elsewhere, that is irrelevant.
> I suspect it's a lot easier to replace a self-extracting exe with a
> malicious exe than it is to create a zip file that exploits a flaw in
> an unzip application, which relies on the flaw being present and easily
But it is not much harder to replace the code for e.g. the constructor of
shared_ptr to include code that starts a virus, collects personal
information or anything like that.
> > >Whether or not the files _within_ the archive have been perverted is a
> > >separate matter from what I originally talked about.
> > But the executable part of a self-extractor is "within" the archive. It
> > is attacked the same way you would the rest of the archive content.
> The difference from perverted sources within the archive is that users
> _can_ inspect the source if they want to. They can't inspect what an exe
> will do before they run it. Whether the malicious code is within or
> without the archive is irrelevant, whether the malicious code is already
> compiled and executable is what matters, surely?
Any user that inspects all boost source code before compiling and running it
still has the option to download a .zip archive. But how many users check
the source code anyway? If you trust the source code, you could as well
trust the executable. If you can replace the executable with malicious
software, you can also replace the archive with almost an identical boost
library, with some hidden malicious code inside it.
If the boost community is worried about archives getting replaced with
archives containing malicious code, it is probably more effective to check
every night that the files available for download did not change.
Publishing hashes does not add security. If you're able to change the
archive, you are also able to change the published hash value. You could of
course publish the hash value at several different servers, and require that
users check all hashes, but who would take that much pain?
You are not going to be able to defend against an attacker that has write
access to the archives. Only daily or even hourly checking that the
available archives are still correct can minimize the threat of corrupted
Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk