Bug#724744: 'apt-get source' does not stop if signatures can't be checked
Package: apt
Version: 0.9.7.9
Severity: grave
Tags: security
Source packages are signed, therefore it's fair to expect 'apt-get
source' to enforce signature verification. But it merely prints a
warning and continues if it can't check a signature because of a missing
key (e.g. when you forgot to install the developer keyring). This seems
to be caused by dpkg-source needing the --require-valid-signature option
to enable strict checking (*).
Freenode's #debian suggested I should file a bug on 'apt' since it's the
frontend, and set a 'wishlist' severity. However I decided to give it a
'grave' severity because Debian policy says that's appropriate when a
package introduces a command that exposes the user accounts to attacks
when ran ( http://release.debian.org/stable/rc_policy.txt ). I'm hoping
this gets treated more seriously than 'wishlist' (**).
The security hole in this case involves introducing a compromised source
package on a Debian mirror. Then apt will happily take it, unpack it,
patch stuff and possibly execute arbitrary code from it, without
quitting if it can't check signatures. It breaks the reasonable
assumption that the package manager will check source package signatures
for official packages just as it checks binary packages.
(*) I'd also argue --require-valid-signature is an incredibly poor
default in itself, and that's what should be fixed. It essentially makes
security a long option to a core Debian command and it's off by default.
(**) I should remind you my somewhat related #722906 issue on downloads
being exceedingly difficult to check correctly from non-Debian machines
also got a 'wishlist' status (initially 'important' and not tagged as a
security issue) and had its subject change to something more benign.
I'm hoping my report was misunderstood.
Reply to: