Package: apt Version: 0.5.28.6 Severity: serious Tags: security Justification: User can think he's installing Debian software when he's not When multiple sources are used with APT that are hosted on the same host with the same protocol, and also share combinations of release and archive (e.g. etch/main), apt-cache policy shows their packages in a identical form. That has lead me to think that mplayer and transcode had been accepted in Debian and install a non-official package of ffmpeg, because I had Christian Marillat's source in my sources.list. Thus, any source on a server of an official Debian source that contain packages without security fixes or with additional security holes, whose version is higher than Debian official packages will lead the user to an unprotected situation, even if he is cautious of what packages he installs, in terms of security. pierre@bateleur:~$ apt-cache policy mplayer-k6 mplayer-k6: Installé : (aucun) Candidat : 1:1.0-pre7-0.0 Table de version : 1:1.0-pre7cvs20050716-0.1 0 500 ftp://ftp.nerim.net sid/main Packages 1:1.0-pre7-0.0 0 500 ftp://ftp.nerim.net sarge/main Packages 990 ftp://ftp.nerim.net etch/main Packages 100 /var/lib/dpkg/status pierre@bateleur:~$ apt-cache policy ffmpeg ffmpeg: Installé : 0.cvs20050918-4 Candidat : 3:20050806-0.2 Table de version : 3:20050806-0.2 0 500 ftp://ftp.nerim.net sid/main Packages 3:20050427-0sarge0.1 0 500 ftp://ftp.nerim.net sarge/main Packages *** 0.cvs20050918-4 0 500 ftp://ftp.nerim.net sid/main Packages 100 /var/lib/dpkg/status 0.cvs20050313-2 0 500 ftp://ftp.nerim.net sarge/main Packages 990 ftp://ftp.nerim.net etch/main Packages -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "i386"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Default-Release "testing"; Dir "/"; Dir::State "var/lib/apt/"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::userstatus "status.user"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt/"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt/"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::vendorlist "vendors.list"; Dir::Etc::vendorparts "vendors.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::dpkg "/usr/bin/dpkg"; DPkg ""; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "if dpkg -s apt-listbugs | grep -q '^Status: .* ok installed'; then /usr/sbin/apt-listbugs apt || ( test $? -ne 10 || exit 10; echo 'Warning: apt-listbugs exited abnormally, hit enter key to continue.' 1>&2 ; read a < /dev/tty ); fi"; DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true"; DPkg::Pre-Invoke ""; DPkg::Pre-Invoke:: "mount -o remount,rw /usr"; DPkg::Post-Invoke ""; DPkg::Post-Invoke:: "mount -o remount,ro /usr"; DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --generate=nocheck -sp /var/cache/apt/archives; fi"; DPkg::Post-Invoke:: "/usr/sbin/update-dpsyco || true"; DPkg::Post-Invoke:: "test -f /var/run/zope.restart && invoke-rc.d zope restart ; rm -f /var/run/zope.restart"; -- (no /etc/apt/preferences present) -- -- /etc/apt/sources.list -- deb file:/var/cache/apt-build/repository apt-build main deb ftp://ftp.nerim.net/debian/ sarge main contrib deb-src ftp://ftp.nerim.net/debian/ sarge main contrib deb ftp://ftp.nerim.net/debian/ etch main contrib deb-src ftp://ftp.nerim.net/debian/ etch main contrib deb ftp://ftp.nerim.net/debian/ sid main contrib deb-src ftp://ftp.nerim.net/debian/ sid main contrib #deb ftp://ftp.nerim.net/debian/ ../project/experimental main #deb-src ftp://ftp.nerim.net/debian/ ../project/experimental main deb http://security.debian.org/ stable/updates main deb http://security.debian.org/ testing/updates main deb ftp://ftp.nerim.net/debian-marillat/ sarge main deb ftp://ftp.nerim.net/debian-marillat/ etch main deb ftp://ftp.nerim.net/debian-marillat/ sid main -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.8-2-k7 Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15) Versions of packages apt depends on: ii libc6 2.3.5-6 GNU C Library: Shared libraries an ii libgcc1 1:4.0.1-2 GCC support library ii libstdc++5 1:3.3.6-7 The GNU Standard C++ Library v3 apt recommends no packages. -- no debconf information -- nowhere.man@levallois.eu.org OpenPGP 0xD9D50D8A
Attachment:
signature.asc
Description: Digital signature