Bug#763399: Hardening dpkg/apt

To: submit@bugs.debian.org
Subject: Bug#763399: Hardening dpkg/apt
From: bancfc@openmailbox.org
Date: Mon, 29 Sep 2014 21:24:35 +0000
Message-id: <[🔎] 75468a8114e97b35384973c4e93db13e@openmailbox.org>
Reply-to: bancfc@openmailbox.org, 763399@bugs.debian.org

Package: apt
Version: all

Sometimes apt/dpkg can contain vulnerable, remotely exploitable bugswhich s a big risk when used over the untrusted internet. As it happens,anyone could have been in a position to run man-in-the-middle attackswith the latest security hole [CVE-2014-6273] in apt-get. What makesthis bug cripling is that updating apt to fix it would have exposed itto what the fix was supposed to rpevent, so manually downloading thepackage out of band was the safest option this time.

In order to drastically limit an attackers options I recommend creatinga seccomp-bpf filter for apt and dpkg to limit what they can do should aweak function be remotely exploited. Other options include enabling anyand all compile-time binary hardening such as PIE, RELRO, CANARY etc.



Seccomp Resources:

https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt(Kernel documentation for the feature)

http://outflux.net/teach-seccomp/ ( A guide on writing a simple filterand using error checking. Note that seccomp supports whitelists whichcan make it easier, you simply allow only the bear minimum of safesyscalls needed to make curl function).

Reply to:

Follow-Ups:
- Bug#763399: Hardening dpkg/apt
  - From: Julian Andres Klode <jak@debian.org>

Prev by Date: Bug#763379: [INTL:tr] Turkish translation update for apt
Next by Date: Bug#763412: libjpeg-dev reinstalls over itself
Previous by thread: Bug#763379: [INTL:tr] Turkish translation update for apt
Next by thread: Bug#763399: Hardening dpkg/apt
Index(es):
- Date
- Thread