Bug#749795: apt: no authentication checks for source packages

To: Thijs Kinkhorst <thijs@debian.org>, 749795@bugs.debian.org
Cc: team@security.debian.org
Subject: Bug#749795: apt: no authentication checks for source packages
From: Michael Vogt <mvo@debian.org>
Date: Thu, 12 Jun 2014 13:52:13 +0200
Message-id: <[🔎] 20140612115213.GE9577@bod>
Reply-to: Michael Vogt <mvo@debian.org>, 749795@bugs.debian.org
In-reply-to: <[🔎] b79b6b6e647131dbb459cc36a9e6f92e.squirrel@aphrodite.kinkhorst.nl>
References: <[🔎] b79b6b6e647131dbb459cc36a9e6f92e.squirrel@aphrodite.kinkhorst.nl>

On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
> > apt: no authentication checks for source packages
> 
> The Debian security team has assigned CVE-2014-0478 to this issue.
> 
> APT developers: we should fix this in wheezy. Are you able to provide an
> update for wheezy for this issue?
[..]

Attached is the fix for wheezy with a regression test, a additional
test run is very welcome (works in my wheezy container both the
testcase and a manual test when removing /var/lib/apt/lists/*Release*).

Cheers,
 Michael

diff -Nru apt-0.9.7.9+deb7u1/cmdline/apt-get.cc apt-0.9.7.9+deb7u2/cmdline/apt-get.cc
--- apt-0.9.7.9+deb7u1/cmdline/apt-get.cc	2013-03-01 11:51:21.000000000 +0100
+++ apt-0.9.7.9+deb7u2/cmdline/apt-get.cc	2014-06-12 13:35:58.000000000 +0200
@@ -1046,25 +1046,8 @@
    return true;
 }
 									/*}}}*/
-// CheckAuth - check if each download comes form a trusted source	/*{{{*/
-// ---------------------------------------------------------------------
-/* */
-static bool CheckAuth(pkgAcquire& Fetcher)
+static bool AuthPrompt(std::string UntrustedList, bool const PromptUser)
 {
-   string UntrustedList;
-   for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I)
-   {
-      if (!(*I)->IsTrusted())
-      {
-         UntrustedList += string((*I)->ShortDesc()) + " ";
-      }
-   }
-
-   if (UntrustedList == "")
-   {
-      return true;
-   }
-        
    ShowList(c2out,_("WARNING: The following packages cannot be authenticated!"),UntrustedList,"");
 
    if (_config->FindB("APT::Get::AllowUnauthenticated",false) == true)
@@ -1073,6 +1056,9 @@
       return true;
    }
 
+   if (PromptUser == false)
+     return _error->Error(_("Some packages could not be authenticated"));
+
    if (_config->FindI("quiet",0) < 2
        && _config->FindB("APT::Get::Assume-Yes",false) == false)
    {
@@ -1090,6 +1076,27 @@
    return _error->Error(_("There are problems and -y was used without --force-yes"));
 }
 									/*}}}*/
+// CheckAuth - check if each download comes form a trusted source	/*{{{*/
+// ---------------------------------------------------------------------
+/* */
+static bool CheckAuth(pkgAcquire& Fetcher, bool PromptUser=true)
+{
+   string UntrustedList;
+   for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I)
+   {
+      if (!(*I)->IsTrusted())
+      {
+         UntrustedList += string((*I)->ShortDesc()) + " ";
+      }
+   }
+
+   if (UntrustedList == "")
+   {
+      return true;
+   }
+
+   return AuthPrompt(UntrustedList, PromptUser);
+}
 // InstallPackages - Actually download and install the packages		/*{{{*/
 // ---------------------------------------------------------------------
 /* This displays the informative messages describing what is going to 
@@ -2483,6 +2490,7 @@
 
    // Load the requestd sources into the fetcher
    unsigned J = 0;
+   std::string UntrustedList;
    for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++)
    {
       string Src;
@@ -2492,6 +2500,9 @@
 	 delete[] Dsc;
 	 return _error->Error(_("Unable to find a source package for %s"),Src.c_str());
       }
+
+      if (Last->Index().IsTrusted() == false)
+         UntrustedList += Src + " ";
       
       string srec = Last->AsStr();
       string::size_type pos = srec.find("\nVcs-");
@@ -2576,6 +2587,10 @@
 			Last->Index().SourceInfo(*Last,*I),Src);
       }
    }
+
+   // check authentication status of the source as well
+   if (UntrustedList != "" && !AuthPrompt(UntrustedList, false))
+      return false;
    
    // Display statistics
    unsigned long long FetchBytes = Fetcher.FetchNeeded();
diff -Nru apt-0.9.7.9+deb7u1/debian/changelog apt-0.9.7.9+deb7u2/debian/changelog
--- apt-0.9.7.9+deb7u1/debian/changelog	2013-11-16 12:47:12.000000000 +0100
+++ apt-0.9.7.9+deb7u2/debian/changelog	2014-06-12 13:22:44.000000000 +0200
@@ -1,3 +1,10 @@
+apt (0.9.7.9+deb7u2) wheezy; urgency=low
+
+  * SECURITY UPDATE: apt-get source validation
+    - CVE-2014-0478
+
+ -- Michael Vogt <mvo@debian.org>  Thu, 12 Jun 2014 12:47:25 +0200
+
 apt (0.9.7.9+deb7u1) wheezy; urgency=low
 
   * Non-maintainer upload.
diff -Nru apt-0.9.7.9+deb7u1/test/integration/framework apt-0.9.7.9+deb7u2/test/integration/framework
--- apt-0.9.7.9+deb7u1/test/integration/framework	2013-03-01 11:51:21.000000000 +0100
+++ apt-0.9.7.9+deb7u2/test/integration/framework	2014-06-12 13:21:11.000000000 +0200
@@ -130,7 +130,7 @@
 	mkdir rootdir aptarchive keys
 	cd rootdir
 	mkdir -p etc/apt/apt.conf.d etc/apt/sources.list.d etc/apt/trusted.gpg.d etc/apt/preferences.d
-	mkdir -p var/cache var/lib var/log
+	mkdir -p var/cache var/lib var/log tmp
 	mkdir -p var/lib/dpkg/info var/lib/dpkg/updates var/lib/dpkg/triggers
 	touch var/lib/dpkg/available
 	mkdir -p usr/lib/apt
@@ -858,3 +858,35 @@
 	local IGNORE
 	read IGNORE
 }
+
+testsuccess() {
+	if [ "$1" = '--nomsg' ]; then
+		shift
+	else
+		msgtest 'Test for successful execution of' "$*"
+	fi
+	local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testsuccess.output"
+	if $@ >${OUTPUT} 2>&1; then
+		msgpass
+	else
+		echo >&2
+		cat >&2 $OUTPUT
+		msgfail
+	fi
+}
+
+testfailure() {
+	if [ "$1" = '--nomsg' ]; then
+		shift
+	else
+		msgtest 'Test for failure in execution of' "$*"
+	fi
+	local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output"
+	if $@ >${OUTPUT} 2>&1; then
+		echo >&2
+		cat >&2 $OUTPUT
+		msgfail
+	else
+		msgpass
+	fi
+}
diff -Nru apt-0.9.7.9+deb7u1/test/integration/test-apt-get-source-authenticated apt-0.9.7.9+deb7u2/test/integration/test-apt-get-source-authenticated
--- apt-0.9.7.9+deb7u1/test/integration/test-apt-get-source-authenticated	1970-01-01 01:00:00.000000000 +0100
+++ apt-0.9.7.9+deb7u2/test/integration/test-apt-get-source-authenticated	2014-06-12 12:43:34.000000000 +0200
@@ -0,0 +1,31 @@
+#!/bin/sh
+#
+# Regression test for debian bug #749795. Ensure that we fail with
+# a error if apt-get source foo will download a source that comes
+# from a unauthenticated repository
+#
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+# a "normal" package with source and binary
+buildsimplenativepackage 'foo' 'all' '2.0'
+
+setupaptarchive --no-update
+
+APTARCHIVE=$(readlink -f ./aptarchive)
+rm -f $APTARCHIVE/dists/unstable/*Release*
+
+# update without authenticated InRelease file
+testsuccess aptget update
+
+# this all should fail
+testfailure aptget install -y foo
+testfailure aptget source foo
+
+# allow overriding the warning
+testsuccess aptget source --allow-unauthenticated foo

Reply to:

Follow-Ups:
- Bug#749795: apt: no authentication checks for source packages
  - From: "Thijs Kinkhorst" <thijs@debian.org>

References:
- Bug#749795: apt: no authentication checks for source packages
  - From: "Thijs Kinkhorst" <thijs@debian.org>

Prev by Date: Bug#751388: apt: "Run 'apt list --upgradable' to see them." when no packages can be upgraded
Next by Date: Bug#749795: apt: no authentication checks for source packages
Previous by thread: Bug#749795: apt: no authentication checks for source packages
Next by thread: Bug#749795: apt: no authentication checks for source packages
Index(es):
- Date
- Thread