article
discussion
 
 
 
edit this page
 
 
 
history
backlinks

Vulnerabilities Related to GPG-signing

Buy CVS & Subversion Stuff!
Buy CVS & Subversion Stuff!

Abstract

This page documents CVS vulnerabilities with respect to GPG-signing. It is intended to be a living document, expanded and updated as new vulnerabilities become known and as old vulnerabilities are covered.

The vulnerabilities that this page discusses are those related to GPG-signing commits: vulnerabilities that GPG-signing addresses, and new vulnerabilities introduced by GPG-signing.

See GPG-Signed Commits for details on GPG signing.

Vulnerabilities

There are three types of vulnerabilities: direct modification of the RCS ,v files in the repository, and compromising the CVS server software, and compromising the CVS client software {{ref|otherattacks}}.

Hacking the Repository

Compromised Server

Compromised Client

A compromised server

References

GPG-Signed Commits<br/>

Footnotes

  1. {{note|otherattacks}} There is at least one other type of attack, a man-in-the-middle attack. From the client's perspective, a man-in-the-middle attack is effectively the same as a . Defenses against MITM attacks are well-known, therefore this document will not discuss them.

Derek Price, CVS developer and technical editor of Essential CVS (Essentials line from O'Reilly Press) and others offer consulting services and training courses through Ximbiot. Call for details and pricing!