Re: HTTPS enabled Debian Security repository

[Hans-Christoph Steiner <hans@at.or.at>]

Ansgar Burchardt:
> Henrique de Moraes Holschuh writes:
>> On Fri, 27 Oct 2017, Hans-Christoph Steiner wrote:
>>> This idea that GPG signatures on the index files is enough has been
>>> totally disproven.  There was a bug in apt where Debian devices could be
>>> exploited by feeding them crafted InRelease files:
>>>
>>> https://www.debian.org/security/2016/dsa-3733
>>
>> This was the *one* bug of this sort in the entire lifetime of apt thus
>> far, AFAIK.
> 
> No, there was also
>    https://security-tracker.debian.org/tracker/CVE-2013-1051
> which I found.  That one was fairly easy to exploit (concatenate
> manipulated Release with wrong "-----BEGIN PGP SIGNATURE" markers and
> correctly signed InRelease; gpg would verify the signature at the end,
> but apt would use the unsigned, manipulated Release from the beginning)
> 
> Similar bugs were present in several other places in Debian's
> infrastructure as well.
> 
> The one from 2016 is harder to exploit: I asked on #-apt back then and
> the sample exploit had a 1/4 success change with a 1.3 GB InRelease file
> on a memory starved i386 system).

That hit rate is enough to build malware around...


>>> If HTTPS was used, that would mean exploiting that would require
>>
>> One of the dozens of zero-days already found in the TLS stack we had to
>> run like crazy to patch ?
> 
> That is still valid of course, though I'm not sure if GnuPG or TLS
> libraries get wider testing...
> 
> Ansgar
> 

Don't get me wrong, I agree that HTTPS is very overcomplicated and
terrible in a lot of ways.  But the days of plain HTTP/TCP are over.
All connections need to be moving towards encryption.  Even with HTTPS'
faults, we are better off using it than plain HTTP.

.hc