Re: holes in secure apt

To: debian-devel@lists.debian.org
Cc: team@security.debian.org
Subject: Re: holes in secure apt
From: Christoph Anton Mitterer <calestyo@scientia.net>
Date: Thu, 12 Jun 2014 18:35:39 +0200
Message-id: <[🔎] 1402590939.5066.78.camel@heisenberg.scientia.net>
In-reply-to: <[🔎] alpine.DEB.2.10.1406121024050.17794@tglase.lan.tarent.de>
References: <[🔎] 1402527988.4739.34.camel@heisenberg.scientia.net> <[🔎] alpine.DEB.2.10.1406121024050.17794@tglase.lan.tarent.de>

On Thu, 2014-06-12 at 10:30 +0200, Thorsten Glaser wrote: 
> On Thu, 12 Jun 2014, Christoph Anton Mitterer wrote:
> > Anyone who believed in getting trusted sources might have been attacked
> > with forged packages, and even the plain build of such package might
> > have undermined users' security integrity.
> Then I believe Debian itself may be undermined.
Well I've expressed that concern before ;-)


> A buildd (sbuild) or cowbuilder is set up using the normal debootstrap
> process with --variant=buildd using the Debian archive keyring of the
> host system to validate. (This works.) Then, /etc/apt/sources.list is
> written, and APT defaults to secure. The debian-archive-keyring package
> is Essential
I don't think that debian-archive-keyring is Essential... at least not
here ;-) but apt depends on it... so usually it should be in place...


> The buildd-related software (and most people when doing manual builds
> with cowbuilder) uses “apt-get source foo” to download the file, fully
> assuming that apt-get ensures validation, so no “dscverify” is run on
> the sources downloaded by apt. (If someone uses dget, either dget is
> new enough to call dscverify, or they had better be doing that by hand.)
Which is why we're possibly screwed already... even if the builds don't
run as root... it seems like a rather easy way to get into the build
hosts... and/or have forged source packages build and distributed.

Just that NSA hasn't twittered yet that they didn't doesn't mean this is
the case...
So... @security-team: is there anything that is going to be done with
respect to Debian's infrastructure? Or do we simply assume that noone
tried that attack vector before?


> This means that, if there was ever a chance that 'apt-get source foo'
> would not check the integrity of the files it downloaded against
> Sources.gz + Release{,.gpg} we’re in pretty deep shit. (Well, there
> was, before SecureAPT was enacted, but that’s outside of the scope
> of this.)
sure... 

Cheers,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to:

Follow-Ups:
- Re: holes in secure apt
  - From: Jeroen Dekkers <jeroen@dekkers.ch>

References:
- holes in secure apt
  - From: Christoph Anton Mitterer <calestyo@scientia.net>
- Re: holes in secure apt
  - From: Thorsten Glaser <tg@debian.org>

Prev by Date: Re: holes in secure apt
Next by Date: Re: use of RDRAND in $random_library
Previous by thread: Re: holes in secure apt
Next by thread: Re: holes in secure apt
Index(es):
- Date
- Thread