Bug#665920: apt: failed secure APT checks don't give errors and non-zero exit statuses in all cases

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#665920: apt: failed secure APT checks don't give errors and non-zero exit statuses in all cases
From: Christoph Anton Mitterer <calestyo@scientia.net>
Date: Tue, 27 Mar 2012 03:12:07 +0200
Message-id: <[🔎] 20120327011207.14147.63555.reportbug@heisenberg.scientia.net>
Reply-to: Christoph Anton Mitterer <calestyo@scientia.net>, 665920@bugs.debian.org

Package: apt
Version: 0.8.15.10
Severity: important

Hi.

I did some non-systematic tests on secure APT (with partially shocking results).

The following is at least true, for the download action of apt (and I guess
therefore of aptitude, too), perhaps for other actions (and or option combinations,
in which verifications should happen, too)

It does not give an error and exit code = 0 when the verification of the downloaded
file fails.

The check seems however to actually take place, cause if I modify the hashsums
in e.g. ftp.de.debian.org_debian_dists_unstable_main_binary-amd64_Packages for
the base-files binary package and I do an:
$ apt-get download base-files
Get:1 Downloading base-files 6.7 [69,4 kB]
Fetched 69,4 kB in 0s (134 kB/s)

All I get is:
l
total 78k
drwxr-xr-x 2 calestyo calestyo 4,1k Mar 27 03:00 .
drwx------ 6 calestyo calestyo 4,1k Mar 27 02:41 ..
-rw-r--r-- 1 calestyo calestyo 70k Mar 4 01:17 base-files_6.7_amd64.deb.FAILED

Generally I think that all kinds of verification errors should be treated as (most
severe) errors (not just warnings) and that the exit status should be non-zero.
Best would be to have special exit-code, that denotes that potential security issues
occured.

In the above case, renaming the file to .FAILED may seem enough, but one can never
know how the users uses the system, and perhaps relies on failed exit statuses.
Or imagine a (though stupid) script that downloads the .deb to a temp dir and
takes the only file of that dir (regardless of the .FAILED) and e.g. installs it.
I mean this would be badly written code, but we really should try to protect even
such cases, especailly when this is easily possible.

Cheers,
Chris.

btw: Perhaps someone can explain this:
I traced the process and get the following:
stat("/var/lib/apt/lists/ftp.de.debian.org_debian_dists_unstable_Release.gpg", 0x7fff750b4670) = -1 ENOENT (No such file or directory)
stat("/var/lib/apt/lists/_srv_local-package-archive_dists_unstable_Release.gpg", {st_mode=S_IFREG|0644, st_size=836, ...}) = 0

So while there is a Release.gpg for my local archive, there is none for Debian's.
Why and is this a security problem?

Reply to:

Prev by Date: Carlos and Barbara at the google image
Next by Date: Processed: tags+security
Previous by thread: Carlos and Barbara at the google image
Next by thread: Processed: tags+security
Index(es):
- Date
- Thread