Re: Bug#592115: apt seems to somehow use ~/.gnupg dir when checking package integrity which might be used for security attacks
reassign 592115 dpkg
On Sa, 2010-08-07 at 18:17 +0200, Christoph Anton Mitterer wrote:
> Package: apt
> Version: 0.7.20.2+lenny2
> Severity: grave
> Tags: security
> Justification: user security hole
> I found out some strange issue, which IMO might be used for security attacks on secure-apt:
> I've only tested it with "apt-get source", but maybe other actions or aptitude are also affected
> (I guess all that uses the same code).
> But even if it's just "source", then the severity is suggested IMO, as any user expects also the source
> package to be "secure" and valid.
> 1) Running e.g. apt-get source packagename as any user (including root), seems to create ~/.gnupg
> if it does not yet exist.
> Why? Shouldn't it only use the keyrings in /etc/apt/ ? And not only the keyrings, but also all other
> stuff, like gpg.conf.
> A normal user could have set less secure options in gpg.conf or similar things, which are not
> desired for checking package integrity.
> This _might_ be fixed in the current sid version (0.7.25.3) at least the ~/.gnupg seems to be not
> created there.
> 2) When apt checks the package integrity, and if gpg fails for some reason, it merely gives a warning,
> but seems to not fail:
> $ apt-get source base-files
> Reading package lists... Done
> Building dependency tree
> Reading state information... Done
> Need to get 65,6kB of source archives.
> Get:1 http://ftp.de.debian.org lenny/main base-files 5lenny6 (dsc) [978B]
> Get:2 http://ftp.de.debian.org lenny/main base-files 5lenny6 (tar) [64,6kB]
> Fetched 65,6kB in 0s (585kB/s)
> gpg: new configuration file `/home/foo/.gnupg/gpg.conf' created
> gpg: WARNING: options in `/home/foo/.gnupg/gpg.conf' are not yet active during this run
> gpg: Signature made 2010-06-18 17:13:42 CEST using RSA key ID 9F1B8B32
> gpg: Can't check signature: public key not found
> dpkg-source: extracting base-files in base-files-5lenny6
> dpkg-source: info: unpacking base-files_5lenny6.tar.gz
> $ echo $?
As everyone should know, dpkg unpacks the source packages and verifies
them using gpg. APT knows that the package is secure, because the source
> It seems as if it simply uses ~/.gnupg.
> I guess this is really critical, especially that the exit status is 0.
> "Nobody" will notice this, especially in scripted environments.
> Therefore the high severity.
> Also this _might_ be fixed in the current sid version.
> 3) Code should be added to make absolutely sure, that whenever gnupg fails for whatever reason
> (even segfaults etc.) package verification fails.
> If only /etc/apt is used for secure apt, there should be no big problems, as only "good" keys should be
> ever added there.
> But for normal ~/.gnupg dirs, any key could go there, of course even unsigned ones.
> Such unsigned ones can be easily "bad" keys, for example keys that are so large (bit size), that
> gpg simply fails.
> Also applies to current sid version, I guess.
> ** Please type your report below this line ***
> -- Package-specific info:
> -- apt-config dump --
> APT "";
> APT::Architecture "amd64";
> APT::Build-Essential "";
> APT::Build-Essential:: "build-essential";
> APT::Install-Recommends "1";
> APT::Install-Suggests "0";
> APT::Acquire "";
> APT::Acquire::Translation "environment";
> APT::NeverAutoRemove "";
> APT::NeverAutoRemove:: "^linux-image.*";
> APT::NeverAutoRemove:: "^linux-restricted-modules.*";
> Dir "/";
> Dir::State "var/lib/apt/";
> Dir::State::lists "lists/";
> Dir::State::cdroms "cdroms.list";
> Dir::State::userstatus "status.user";
> Dir::State::status "/var/lib/dpkg/status";
> Dir::Cache "var/cache/apt/";
> Dir::Cache::archives "archives/";
> Dir::Cache::srcpkgcache "srcpkgcache.bin";
> Dir::Cache::pkgcache "pkgcache.bin";
> Dir::Etc "etc/apt/";
> Dir::Etc::sourcelist "sources.list";
> Dir::Etc::sourceparts "sources.list.d";
> Dir::Etc::vendorlist "vendors.list";
> Dir::Etc::vendorparts "vendors.list.d";
> Dir::Etc::main "apt.conf";
> Dir::Etc::parts "apt.conf.d";
> Dir::Etc::preferences "preferences";
> Dir::Bin "";
> Dir::Bin::methods "/usr/lib/apt/methods";
> Dir::Bin::dpkg "/usr/bin/dpkg";
> Dir::Log "var/log/apt";
> Dir::Log::Terminal "term.log";
> DPkg "";
> DPkg::Pre-Install-Pkgs "";
> DPkg::Pre-Install-Pkgs:: "/usr/sbin/apt-listbugs apt || exit 10";
> DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -ne 10";
> DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
> DPkg::Tools "";
> DPkg::Tools::Options "";
> DPkg::Tools::Options::/usr/sbin/apt-listbugs "";
> DPkg::Tools::Options::/usr/sbin/apt-listbugs::Version "2";
> DPkg::Tools::Options::/usr/bin/apt-listchanges "";
> DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2";
> DPkg::Post-Invoke "";
> DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives; fi";
> DPkg::Post-Invoke:: "if [ -x /usr/bin/rkhunter ] && ( ! grep -q -E '^DISABLE_TESTS=.*(hashes.*attributes|attributes.*hashes|properties)' /etc/rkhunter.
> -- (no /etc/apt/preferences present) --
> -- (/etc/apt/sources.list present, but not submitted) --
> -- System Information:
> Debian Release: 5.0.5
> APT prefers stable
> APT policy: (500, 'stable')
> Architecture: amd64 (x86_64)
> Kernel: Linux 2.6.26-2-amd64 (SMP w/1 CPU core)
> Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Versions of packages apt depends on:
> ii debian-archive-keyring 2009.01.31 GnuPG archive keys of the Debian a
> ii libc6 2.7-18lenny4 GNU C Library: Shared libraries
> ii libgcc1 1:4.3.2-1.1 GCC support library
> ii libstdc++6 4.3.2-1.1 The GNU Standard C++ Library v3
> apt recommends no packages.
> Versions of packages apt suggests:
> pn apt-doc <none> (no description available)
> ii aptitude 0.4.11.11-1~lenny1 terminal-based package manager
> ii bzip2 1.0.5-1 high-quality block-sorting file co
> ii dpkg-dev 1.14.29 Debian package development tools
> ii lzma 4.43-14 Compression method of 7z format in
> ii python-apt 0.7.7.1+nmu1 Python interface to libapt-pkg
> -- no debconf information
Julian Andres Klode - Debian Developer, Ubuntu Member
See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.