Re: Debian package manager privilege escalation attack

To: debian-devel@lists.debian.org
Subject: Re: Debian package manager privilege escalation attack
From: Brian Thompson <brian@hashvault.io>
Date: Wed, 11 Aug 2021 22:55:44 -0500
Message-id: <[🔎] c1a8b67be1d5da03e31ed303c775717ba7021c65.camel@hashvault.io>
In-reply-to: <[🔎] CAO6YxPyH5DKH8TB8o=EsE0CesqrqP_Uh1+5DiJOeJjaaY9bPng@mail.gmail.com>
References: <[🔎] CAO6YxPyH5DKH8TB8o=EsE0CesqrqP_Uh1+5DiJOeJjaaY9bPng@mail.gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Wed, 2021-08-11 at 23:30 -0400, Timothy M Butterworth wrote:
> All,
> 
> I just ran across this article
> https://blog.ikuamike.io/posts/2021/package_managers_privesc/ I tested
> the attacks on Debian 11 and they work successfully giving me a root
> shell prompt.
> 
> Tim

Thank you for bringing this to everyone's attention. This are very real
vulnerabilities. NPM has similar issues with stopping malicious packages
from being published to the FTP server. They have made some improvements
after they were aware of the issue, but I haven't heard any new
developments at NPM about how to stop malicious packages from making it
to the server.  Malicious packages can and do make it into the
dependency sets of popular packages. This is a problem. I don't think
that any amount of human effort and attention can prevent malicious
packages from making it to the FTP server. I think that AI would be
better-equipped to handle the critical checks necessary for FTP upload
security to be top-of-the-line. The AI couldn't just be left unchecked,
though, and humans are still needed to monitor, tweak, and make sure the
AI is working and behaving in a responsible manner. As far as behaving
responsibly is concerned, the main issue I foresee is having the AI flag
false positives, and making sure the AI doesn't evolve into something
insidious. I'm not sure if that last point can exist within limited AI,
because I am not an AI expert.

Perhaps a workaround for users right now would be to have a user with
package management sudo access, and not much else. sudo access for
package managers would have to be disallowed at the root and [other]
user levels. I am not even sure that this would even work for all use
cases, and having a manual ad-hoc hotfix is far from ideal. What does
the Debian community think about this?

Also, we should notify our upstream projects, and the Linux community as
a whole, of these vulnerabilities. I believe that to be a moral
obligation.
- -- 
Best regards,

Brian T.
-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEE9fpVo96/flopdKOfgw2Ncu3Nhn0FAmEUm8ATHGJyaWFuQGhh
c2h2YXVsdC5pbwAKCRCDDY1y7c2GfYQuD/47aYb4u7hIZ0n8yAdfzPVHVjvYrOzc
Ke7sSSHktgtsBPxWulXjwggm4/XlYlk06TEmDycr60/Ql1ncPZkZ9L2WaKUWabiy
fZ3wSaN7Sd8fCM2ls4GGr6m66UiqjIYzmlJJrn3WdVQxXvuMULWPyD2yGEYbLydu
QQynSkB18OzTxNtwZYEBV7y7Qe69vZBFa0jfd4kH+zLk6lbmyHLFKn8smnFVQdby
uaFGynpX5faYTeY7ccBUkeveBJMUJcomDlzJZ6XbsmSvaDgX1aPJNkkOzirr8L/5
ilSzydrtifmrvkBcvcesPwEwqHp9xMExYazM7Nz1iLhqafYZHMOiwFnQDF9Tn0cW
mTIEzqz5Jbk9LoBxNMxfcPAd6XHGK/zntUbNhxDGNqgnYHjeWhIKWNj6qAP8yKPp
8W1loXMoKyHeE1A4d7ILJNYczYoGz5V2QlfXgHnWgwzrATDmqs6RHmhHM4BNKYTl
AQAMili65MdULWwkKjtDHube8UVxLyKxkLgfRChSrXq8mkhSb9zRyqthv5z87G84
pKeiy92TXxkV/KZfWyMX8naYnnckcA9x4FS7tLZGqPN6fqRpUNW8XM3snaW99Jbk
GqlCpE1XkQXDhdb3TPd8Uo3FQAVbgce9tmec99HGhWpBrMtay4N7p1xLUQG/mbNM
uyrGcXtiLlGefQ==
=iA8K
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Debian package manager privilege escalation attack
  - From: Andrey Rahmatullin <wrar@debian.org>

References:
- Debian package manager privilege escalation attack
  - From: Timothy M Butterworth <timothy.m.butterworth@gmail.com>

Prev by Date: Debian package manager privilege escalation attack
Next by Date: Re: Steam Deck: good news for Linux gaming, bad news for Debian :(
Previous by thread: Debian package manager privilege escalation attack
Next by thread: Re: Debian package manager privilege escalation attack
Index(es):
- Date
- Thread