Bug#762889: apt-get should ignore cached data in case of invalid signature or hash mismatch

To: Evgeny Kapun <abacabadabacaba@gmail.com>, 762889@bugs.debian.org
Subject: Bug#762889: apt-get should ignore cached data in case of invalid signature or hash mismatch
From: Julian Andres Klode <jak@jak-linux.org>
Date: Fri, 26 Sep 2014 02:15:09 +0200
Message-id: <[🔎] CAEA6rAyJkv78LsPDP8qqmNo83Lq5-TUAVhh-8CJwW8U6xDEVJA@mail.gmail.com>
Reply-to: Julian Andres Klode <jak@jak-linux.org>, 762889@bugs.debian.org
In-reply-to: <[🔎] 5424AC66.2040309@gmail.com>
References: <[🔎] 5424AC66.2040309@gmail.com>

Control: tags -1 - security

On Fri, Sep 26, 2014 at 1:59 AM, Evgeny Kapun <abacabadabacaba@gmail.com> wrote:
> Package: apt
> Version: 0.9.7.9+deb7u1
> Tags: security
>
> When running `apt-get update`, I noticed that it couldn't update some of the lists because of invalid signatures (BADSIG). This happens most frequently when `Release` files don't correspond to `Release.gpg`. I thought that it might be some caching issue, so I removed all files from `/var/lib/apt/lists/partial`, and the problem disappeared.
>
> I think that this should happen automatically. Some wrong data might get cached for various reasons, and it's wrong if manual intervention is required to make apt-get work again. I think that in case of verification errors, such as bad signature, hash mismatch, expired Release file, etc, apt-get should download all files that may cause the error without using cached data. For example, in case of hash mismatch for a list file it should download both that file and the Release file with its hash, as the error can be caused by any of them. If Release file is re-downloaded, Release.gpg should be re-downloaded too, and the signature should be re-checked.
>
> Bottom line: wrong data in the (unverified) cache should not prevent apt-get from working.
>
> Marking this as a security issue because an attacker can poison cache just once to prevent unattended-upgrade from working.

We verify the data before moving it to the final directory. If it is
there, it is either valid, or we have no key for it, or it is unsigned
(the latter two will disappear / be disabled at some point I think).

We had some issues where that validation succeeded where it should not
(for example, on proxies returning a 200 OK page html page for every
request, because the parser would not have any signatures to check
then). They should be fixed now in newer releases I think.

If you have a concrete issue, it would be great if you let us know,
but this bug is too generic. And re-verification is too expensive to
do anyway.

-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

Reply to:

Follow-Ups:
- Bug#762889: apt-get should ignore cached data in case of invalid signature or hash mismatch
  - From: Evgeny Kapun <abacabadabacaba@gmail.com>

References:
- Bug#762889: apt-get should ignore cached data in case of invalid signature or hash mismatch
  - From: Evgeny Kapun <abacabadabacaba@gmail.com>

Prev by Date: Bug#762889: apt-get should ignore cached data in case of invalid signature or hash mismatch
Next by Date: Bug#762891: apt-get clean should also clean /var/lib/apt/lists/partial
Previous by thread: Bug#762889: apt-get should ignore cached data in case of invalid signature or hash mismatch
Next by thread: Bug#762889: apt-get should ignore cached data in case of invalid signature or hash mismatch
Index(es):
- Date
- Thread