Bug#749795: apt: no authentication checks for source packages

[Jakub Wilk <jwilk@debian.org>]

Package: apt
Version: 1.0.3
Severity: grave
Tags: security

I've been investigating how apt behaves when the repository doesn't 
contain any Release signatures (possibly because they were stripped off 
by a man-in-the-middle attacker).

This is what I found out:

| # cat /etc/apt/sources.list
| deb http://ftp.debian.org/debian/ unstable main
| deb-src http://ftp.debian.org/debian/ unstable main
|
| # apt-get update
| Ign http://ftp.debian.org unstable InRelease
| Ign http://ftp.debian.org unstable Release.gpg
| Get:1 http://ftp.debian.org unstable Release [205 kB]
| Get:2 http://ftp.debian.org unstable/main Sources [7249 kB]
| Get:3 http://ftp.debian.org unstable/main amd64 Packages [6758 kB]
| Fetched 14.2 MB in 29s (479 kB/s)
| Reading package lists... Done
|
| # echo $?
| 0

Hmm. There is no warning suggesting that anything fishy is going on, and 
the exit code indicates success. (Perhaps the "Ign"s could raise 
suspicion of an observant sysadmin. But who knows what "Ign" exactly 
means? At least the apt-get(1) manpage doesn't know.)

Fortunately, apt-get won't let you install anything:

| # apt-get install -qq nyancat
| WARNING: The following packages cannot be authenticated!
|   nyancat
| E: There are problems and -y was used without --force-yes

And it won't let you even download binary packages:

| $ apt-get download nyancat
| WARNING: The following packages cannot be authenticated!
|   nyancat
| E: Some packages could not be authenticated

So far, so good. However, apt-get happily downloads unauthenticated 
source packages, with no warning:

| $ apt-get source -d nyancat
| Reading package lists... Done
| Building dependency tree
| Reading state information... Done
| Selected version '1.2.2-1' (unstable) for nyancat
| Need to get 20.6 kB of source archives.
| Get:1 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (dsc) [1782 B]
| Get:2 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (tar) [14.1 kB]
| Get:3 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (diff) [4748 B]
| Fetched 20.6 kB in 0s (1838 kB/s)
| Download complete and in download only mode
|
| $ echo $?
| 0

It is equally happy to unpack them:

| $ apt-get source nyancat
| Reading package lists... Done
| Building dependency tree
| Reading state information... Done
| Selected version '1.2.2-1' (unstable) for nyancat
| Need to get 20.6 kB of source archives.
| Get:1 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (dsc) [1782 B]
| Get:2 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (tar) [14.1 kB]
| Get:3 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (diff) [4748 B]
| Fetched 20.6 kB in 0s (1637 kB/s)
| gpgv: keyblock resource `/home/jwilk/.gnupg/trustedkeys.gpg': file open error
| gpgv: Signature made Fri Dec 13 23:42:11 2013 CET using RSA key ID 37AD3296
| gpgv: Can't check signature: public key not found
| dpkg-source: warning: failed to verify signature on ./nyancat_1.2.2-1.dsc
| dpkg-source: info: extracting nyancat in nyancat-1.2.2
| dpkg-source: info: unpacking nyancat_1.2.2.orig.tar.gz
| dpkg-source: info: unpacking nyancat_1.2.2-1.debian.tar.gz
| dpkg-source: info: applying 01-nyancat-debhelper.patch
|
| $ echo $?
| 0

And it will even let you build them:

| $ apt-get source -b nyancat
| Reading package lists... Done
| Building dependency tree
| Reading state information... Done
| Selected version '1.2.2-1' (unstable) for nyancat
| Need to get 20.6 kB of source archives.
| Get:1 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (dsc) [1782 B]
| Get:2 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (tar) [14.1 kB]
| Get:3 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (diff) [4748 B]
| Fetched 20.6 kB in 0s (1757 kB/s)
| gpgv: keyblock resource `/home/jwilk/.gnupg/trustedkeys.gpg': file open error
| gpgv: Signature made Fri Dec 13 23:42:11 2013 CET using RSA key ID 37AD3296
| gpgv: Can't check signature: public key not found
| dpkg-source: warning: failed to verify signature on ./nyancat_1.2.2-1.dsc
| dpkg-source: info: extracting nyancat in nyancat-1.2.2
| dpkg-source: info: unpacking nyancat_1.2.2.orig.tar.gz
| dpkg-source: info: unpacking nyancat_1.2.2-1.debian.tar.gz
| dpkg-source: info: applying 01-nyancat-debhelper.patch
| dpkg-buildpackage: source package nyancat
| dpkg-buildpackage: source version 1.2.2-1
| dpkg-buildpackage: source distribution unstable
| dpkg-buildpackage: source changed by Jonathan McCrohan <jmccrohan@gmail.com>
| dpkg-buildpackage: host architecture amd64
|  dpkg-source --before-build nyancat-1.2.2
|  fakeroot debian/rules clean
[...]

The mitmproxy script I used for testing is attached.

-- System Information:
Debian Release: jessie/sid
 APT prefers unstable
 APT policy: (990, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-1-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt depends on:
ii  debian-archive-keyring  2012.4
ii  gnupg                   1.4.16-1.1
ii  libapt-pkg4.12          1.0.3
ii  libc6                   2.18-7
ii  libgcc1                 1:4.9.0-5
ii  libstdc++6              4.9.0-5

--
Jakub Wilk

# Usage: mitmdump -e -s /path/to/nosigs.py

from libmproxy.flow import Response
from netlib.odict import ODictCaseless

def request(context, flow):
    if flow.request.path.endswith(('/Release.gpg', '/InRelease')):
        # Signatures? We ain't got no signatures. We don't need no signatures!
        # I don't have to show you any stinkin' signatures!
        resp = Response(flow.request,
            (1, 1),
            404, 'Not Found',
            ODictCaseless(),
            '',
            None,
            1,
        )
        flow.request.reply(resp)

# vim:ts=4 sw=4 et