Bug#558784: Isn't this a security problem?

To: Torsten Landschoff <t.landschoff@gmx.net>, 558784 <558784@bugs.debian.org>
Subject: Bug#558784: Isn't this a security problem?
From: David Kalnischkies <kalnischkies+debian@gmail.com>
Date: Mon, 14 Jun 2010 13:25:25 +0200
Message-id: <[🔎] AANLkTil7YEVGgzwpCyhG7VAXuTJV3ctmMVNyk0odi2zi@mail.gmail.com>
Reply-to: David Kalnischkies <kalnischkies+debian@gmail.com>, 558784@bugs.debian.org
In-reply-to: <[🔎] 20100611220330.GA6663@merzeus.obrandt.org>
References: <[🔎] 20100611220330.GA6663@merzeus.obrandt.org>

2010/6/12 Torsten Landschoff <t.landschoff@gmx.net>:
> I would consider this to be a critical issue as it could become a security
> problem.
>
> Let's assume an archive key is compromised. As an admin reading this on
> some information channel (irc, twitter, lwn.net, whatever) I would just
> remove the key as shown by Tollef.
>
> Only by reading this bug report I do know now that this plainly would not
> work. Instead apt-key will reenable this key given any chance.

Not at any chance and for any key:
It will do so only for the debian-archive-keyring AND
only on update for the package apt and/or debian-archive-keyring.
(with complete gpg import output in the log btw)
If the debian-archive-keyring is ever compromised the attacker has
the possibility to provide different apt/debian-archive-keyring packages
anyway so you better not upgrade as long as the archive doesn't
have a new key (which you have validated and installed manually) --
and in this event the debian-archive-keyring package will be one
of the first packages updated in the archive (removing the old,
installing the new key - just to be sure and for all the users which
haven't done it manually…).

Other keyring packages normally add themselves to the database
on an install/upgrade of these packages automatically - if you don't
want that what is the point of installing these keyring packages?


> So, does this bug still apply?

Still applies as the fragments file infrastructure is not used so far.
As said earlier i intend to promote that a bit after squeeze release
to have a smoother transition (keyrings are normally without a problem
backportable between different releases - breaking that feels a bit ugly.)

The difference is not big through. Instead of calling apt-key or doing some
manual gpg calling a package drops a file into /etc/apt/trusted.gpg.d/
The file is still binary so manual editing is not a good idea (TM)
but at least someone who really wants to remove keys from a keyring file
will get the benefits of dpkgs conffile handling - in terms of that he will
notice that you have changed something, not so much that you can easily
see what was changed…

But, and that is what should help in this regard a bit is, that most keyrings
are actually just one key, so the action can be broken down to a removed
config file instead… This just need support by the maintainer of the keyring,
so the debian-archive-keyring could e.g. be split into debian-lenny.gpg,
debian-squeeze.gpg, debian-next-big-thing.gpg and so on.

You might ask "why binary?" now, but APT internally uses gpgv for the
validation which only understands binaries and not the ascii-amored stuff.
(gpg is only used to import keyrings into the trusted keyring by the
keyrings - if we switch to fragment files the gpg is no longer needed…)


Best regards,

David Kalnischkies

Reply to:

Follow-Ups:
- Bug#558784: Isn't this a security problem?
  - From: Goswin von Brederlow <goswin-v-b@web.de>

References:
- Bug#558784: Isn't this a security problem?
  - From: Torsten Landschoff <t.landschoff@gmx.net>

Prev by Date: Bug#504006: marked as done (64k limits of descriptions, translations, versions etc.)
Next by Date: Bug#517202: Debian bug #517202 should be merged with #519469
Previous by thread: Bug#558784: Isn't this a security problem?
Next by thread: Bug#558784: Isn't this a security problem?
Index(es):
- Date
- Thread