Bug#329814: apt-cache doesn't differentiate sources that share protocol, host, release and archive name

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#329814: apt-cache doesn't differentiate sources that share protocol, host, release and archive name
From: Pierre THIERRY <nowhere.man@levallois.eu.org>
Date: Fri, 23 Sep 2005 16:23:58 +0200
Message-id: <[🔎] 20050923142358.GA13831@bateleur.arcanes.fr.eu.org>
Reply-to: Pierre THIERRY <nowhere.man@levallois.eu.org>, 329814@bugs.debian.org

Package: apt
Version: 0.5.28.6
Severity: serious
Tags: security
Justification: User can think he's installing Debian software when he's not

When multiple sources are used with APT that are hosted on the same host
with the same protocol, and also share combinations of release and
archive (e.g. etch/main), apt-cache policy shows their packages in a
identical form. That has lead me to think that mplayer and transcode had
been accepted in Debian and install a non-official package of ffmpeg,
because I had Christian Marillat's source in my sources.list.

Thus, any source on a server of an official Debian source that contain
packages without security fixes or with additional security holes, whose
version is higher than Debian official packages will lead the user to an
unprotected situation, even if he is cautious of what packages he
installs, in terms of security.

pierre@bateleur:~$ apt-cache policy mplayer-k6
mplayer-k6:
  Installé : (aucun)
  Candidat : 1:1.0-pre7-0.0
 Table de version :
     1:1.0-pre7cvs20050716-0.1 0
        500 ftp://ftp.nerim.net sid/main Packages
     1:1.0-pre7-0.0 0
        500 ftp://ftp.nerim.net sarge/main Packages
        990 ftp://ftp.nerim.net etch/main Packages
        100 /var/lib/dpkg/status

pierre@bateleur:~$ apt-cache policy ffmpeg
ffmpeg:
  Installé : 0.cvs20050918-4
  Candidat : 3:20050806-0.2
 Table de version :
     3:20050806-0.2 0
        500 ftp://ftp.nerim.net sid/main Packages
     3:20050427-0sarge0.1 0
        500 ftp://ftp.nerim.net sarge/main Packages
 *** 0.cvs20050918-4 0
        500 ftp://ftp.nerim.net sid/main Packages
        100 /var/lib/dpkg/status
     0.cvs20050313-2 0
        500 ftp://ftp.nerim.net sarge/main Packages
        990 ftp://ftp.nerim.net etch/main Packages

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Default-Release "testing";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "if dpkg -s apt-listbugs | grep -q '^Status: .* ok installed'; then /usr/sbin/apt-listbugs apt || ( test $? -ne 10 || exit 10; echo 'Warning: apt-listbugs exited abnormally, hit enter key to continue.' 1>&2 ; read a < /dev/tty ); fi";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
DPkg::Pre-Invoke "";
DPkg::Pre-Invoke:: "mount -o remount,rw /usr";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "mount -o remount,ro /usr";
DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives; fi";
DPkg::Post-Invoke:: "/usr/sbin/update-dpsyco || true";
DPkg::Post-Invoke:: "test -f /var/run/zope.restart && invoke-rc.d zope restart ; rm -f /var/run/zope.restart";

-- (no /etc/apt/preferences present) --


-- /etc/apt/sources.list --

deb file:/var/cache/apt-build/repository apt-build main

deb ftp://ftp.nerim.net/debian/ sarge main contrib
deb-src ftp://ftp.nerim.net/debian/ sarge main contrib

deb ftp://ftp.nerim.net/debian/ etch main contrib
deb-src ftp://ftp.nerim.net/debian/ etch main contrib

deb ftp://ftp.nerim.net/debian/ sid main contrib
deb-src ftp://ftp.nerim.net/debian/ sid main contrib

#deb ftp://ftp.nerim.net/debian/ ../project/experimental main
#deb-src ftp://ftp.nerim.net/debian/ ../project/experimental main

deb http://security.debian.org/ stable/updates main
deb http://security.debian.org/ testing/updates main

deb ftp://ftp.nerim.net/debian-marillat/ sarge main
deb ftp://ftp.nerim.net/debian-marillat/ etch main
deb ftp://ftp.nerim.net/debian-marillat/ sid main

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-k7
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)

Versions of packages apt depends on:
ii  libc6                         2.3.5-6    GNU C Library: Shared libraries an
ii  libgcc1                       1:4.0.1-2  GCC support library
ii  libstdc++5                    1:3.3.6-7  The GNU Standard C++ Library v3

apt recommends no packages.

-- no debconf information

-- 
nowhere.man@levallois.eu.org
OpenPGP 0xD9D50D8A

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: REPRESENTATIVE NEEDED!!!!
Next by Date: Re: Free e-mail service and money for you!
Previous by thread: REPRESENTATIVE NEEDED!!!!
Next by thread: Re: Free e-mail service and money for you!
Index(es):
- Date
- Thread