Bug#763399: Hardening dpkg/apt
On Mon, Sep 29, 2014 at 11:24 PM, <bancfc@openmailbox.org> wrote:
> Package: apt
> Version: all
>
>
> Sometimes apt/dpkg can contain vulnerable, remotely exploitable bugs which s
> a big risk when used over the untrusted internet. As it happens, anyone
> could have been in a position to run man-in-the-middle attacks with the
> latest security hole [CVE-2014-6273] in apt-get. What makes this bug
> cripling is that updating apt to fix it would have exposed it to what the
> fix was supposed to rpevent, so manually downloading the package out of band
> was the safest option this time.
>
> In order to drastically limit an attackers options I recommend creating a
> seccomp-bpf filter for apt and dpkg to limit what they can do should a weak
> function be remotely exploited. Other options include enabling any and all
> compile-time binary hardening such as PIE, RELRO, CANARY etc.
>
>
> Seccomp Resources:
>
> https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt (Kernel
> documentation for the feature)
>
> http://outflux.net/teach-seccomp/ ( A guide on writing a simple filter and
> using error checking. Note that seccomp supports whitelists which can make
> it easier, you simply allow only the bear minimum of safe syscalls needed to
> make curl function).
>
We are already aware of it. A first step has been made, methods now
run as an unprivileged user. Most further steps will not happen for
Jessie, as they require a significant rework of the Acquire code.
Seccomp is on our list.
Please note that is is not really possible to sandbox dpkg. It needs
to run arbitrary programs as root. The same goes for the non-fetching
parts of APT.
--
Julian Andres Klode - Debian Developer, Ubuntu Member
See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
Reply to: