Bug#749795: apt: no authentication checks for source packages
On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote:
[..]
> > apt: no authentication checks for source packages
>
> The Debian security team has assigned CVE-2014-0478 to this issue.
[..]
> As for squeeze, if it's not too much extra work it would be great if an
> update for squeeze was also possible. Perhaps it could also even include
> the fix for https://security-tracker.debian.org/tracker/CVE-2011-3634?
Attached is the debdiff for squeeze. Additional testing welcome (work
in my debian-squeeze environment).
Cheers,
Michael
diff -Nru apt-0.8.10.3+squeeze1/cmdline/apt-get.cc apt-0.8.10.3+squeeze2/cmdline/apt-get.cc
--- apt-0.8.10.3+squeeze1/cmdline/apt-get.cc 2011-04-15 09:30:33.000000000 +0200
+++ apt-0.8.10.3+squeeze2/cmdline/apt-get.cc 2014-06-12 15:03:48.000000000 +0200
@@ -959,25 +959,8 @@
return true;
}
/*}}}*/
-// CheckAuth - check if each download comes form a trusted source /*{{{*/
-// ---------------------------------------------------------------------
-/* */
-static bool CheckAuth(pkgAcquire& Fetcher)
+static bool AuthPrompt(std::string UntrustedList, bool const PromptUser)
{
- string UntrustedList;
- for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I)
- {
- if (!(*I)->IsTrusted())
- {
- UntrustedList += string((*I)->ShortDesc()) + " ";
- }
- }
-
- if (UntrustedList == "")
- {
- return true;
- }
-
ShowList(c2out,_("WARNING: The following packages cannot be authenticated!"),UntrustedList,"");
if (_config->FindB("APT::Get::AllowUnauthenticated",false) == true)
@@ -986,6 +969,9 @@
return true;
}
+ if (PromptUser == false)
+ return _error->Error(_("Some packages could not be authenticated"));
+
if (_config->FindI("quiet",0) < 2
&& _config->FindB("APT::Get::Assume-Yes",false) == false)
{
@@ -1003,6 +989,27 @@
return _error->Error(_("There are problems and -y was used without --force-yes"));
}
/*}}}*/
+// CheckAuth - check if each download comes form a trusted source /*{{{*/
+// ---------------------------------------------------------------------
+/* */
+static bool CheckAuth(pkgAcquire& Fetcher, bool PromptUser=true)
+{
+ string UntrustedList;
+ for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I)
+ {
+ if (!(*I)->IsTrusted())
+ {
+ UntrustedList += string((*I)->ShortDesc()) + " ";
+ }
+ }
+
+ if (UntrustedList == "")
+ {
+ return true;
+ }
+
+ return AuthPrompt(UntrustedList, PromptUser);
+}
// InstallPackages - Actually download and install the packages /*{{{*/
// ---------------------------------------------------------------------
/* This displays the informative messages describing what is going to
@@ -2229,6 +2236,7 @@
// Load the requestd sources into the fetcher
unsigned J = 0;
+ std::string UntrustedList;
for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++)
{
string Src;
@@ -2237,6 +2245,9 @@
if (Last == 0)
return _error->Error(_("Unable to find a source package for %s"),Src.c_str());
+ if (Last->Index().IsTrusted() == false)
+ UntrustedList += Src + " ";
+
string srec = Last->AsStr();
string::size_type pos = srec.find("\nVcs-");
while (pos != string::npos)
@@ -2319,6 +2330,11 @@
}
}
+ // check authentication status of the source as well
+ if (UntrustedList != "" && !AuthPrompt(UntrustedList, false))
+ return false;
+
+
// Display statistics
unsigned long long FetchBytes = Fetcher.FetchNeeded();
unsigned long long FetchPBytes = Fetcher.PartialPresent();
diff -Nru apt-0.8.10.3+squeeze1/debian/changelog apt-0.8.10.3+squeeze2/debian/changelog
--- apt-0.8.10.3+squeeze1/debian/changelog 2011-04-15 09:30:33.000000000 +0200
+++ apt-0.8.10.3+squeeze2/debian/changelog 2014-06-12 15:07:49.000000000 +0200
@@ -1,3 +1,14 @@
+apt (0.8.10.3+squeeze2) squeeze-security; urgency=high
+
+ * SECURITY UPDATE: apt-get source validation (closes: #749795)
+ - CVE-2014-0478
+ * SECURITY UPDATE: sensitive information disclosure via incorrect
+ hostname validation (LP: #868353)
+ - methods/https.cc: properly set CURLOPT_SSL_VERIFYHOST.
+ - CVE-2011-3634
+
+ -- Michael Vogt <mvo@debian.org> Thu, 12 Jun 2014 14:30:59 +0200
+
apt (0.8.10.3+squeeze1) stable; urgency=low
[ Michael Vogt ]
diff -Nru apt-0.8.10.3+squeeze1/methods/https.cc apt-0.8.10.3+squeeze2/methods/https.cc
--- apt-0.8.10.3+squeeze1/methods/https.cc 2011-04-15 09:30:33.000000000 +0200
+++ apt-0.8.10.3+squeeze2/methods/https.cc 2014-06-12 14:32:46.000000000 +0200
@@ -143,13 +143,11 @@
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, peer_verify);
// ... and hostname against cert CN or subjectAltName
- int default_verify = 2;
bool verify = _config->FindB("Acquire::https::Verify-Host",true);
knob = "Acquire::https::"+remotehost+"::Verify-Host";
verify = _config->FindB(knob.c_str(),verify);
- if (!verify)
- default_verify = 0;
- curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, verify);
+ int const default_verify = (verify == true) ? 2 : 0;
+ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, default_verify);
// Also enforce issuer of server certificate using its cert
string issuercert = _config->Find("Acquire::https::IssuerCert","");
diff -Nru apt-0.8.10.3+squeeze1/test/integration/framework apt-0.8.10.3+squeeze2/test/integration/framework
--- apt-0.8.10.3+squeeze1/test/integration/framework 2011-04-15 09:30:33.000000000 +0200
+++ apt-0.8.10.3+squeeze2/test/integration/framework 2014-06-12 14:30:45.000000000 +0200
@@ -92,7 +92,7 @@
mkdir rootdir aptarchive keys
cd rootdir
mkdir -p etc/apt/apt.conf.d etc/apt/sources.list.d etc/apt/trusted.gpg.d etc/apt/preferences.d
- mkdir -p var/cache var/lib var/log
+ mkdir -p var/cache var/lib var/log tmp
mkdir -p var/lib/dpkg/info var/lib/dpkg/updates var/lib/dpkg/triggers
local STATUSFILE=$(echo "$(basename $0)" | sed -e 's/^test-/status-/' -e 's/^skip-/status-/')
if [ -f "${TESTDIR}/${STATUSFILE}" ]; then
@@ -528,3 +528,35 @@
fi
msgpass
}
+
+testsuccess() {
+ if [ "$1" = '--nomsg' ]; then
+ shift
+ else
+ msgtest 'Test for successful execution of' "$*"
+ fi
+ local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testsuccess.output"
+ if $@ >${OUTPUT} 2>&1; then
+ msgpass
+ else
+ echo >&2
+ cat >&2 $OUTPUT
+ msgfail
+ fi
+}
+
+testfailure() {
+ if [ "$1" = '--nomsg' ]; then
+ shift
+ else
+ msgtest 'Test for failure in execution of' "$*"
+ fi
+ local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output"
+ if $@ >${OUTPUT} 2>&1; then
+ echo >&2
+ cat >&2 $OUTPUT
+ msgfail
+ else
+ msgpass
+ fi
+}
diff -Nru apt-0.8.10.3+squeeze1/test/integration/test-apt-get-source-authenticated apt-0.8.10.3+squeeze2/test/integration/test-apt-get-source-authenticated
--- apt-0.8.10.3+squeeze1/test/integration/test-apt-get-source-authenticated 1970-01-01 01:00:00.000000000 +0100
+++ apt-0.8.10.3+squeeze2/test/integration/test-apt-get-source-authenticated 2014-06-12 14:30:45.000000000 +0200
@@ -0,0 +1,31 @@
+#!/bin/sh
+#
+# Regression test for debian bug #749795. Ensure that we fail with
+# a error if apt-get source foo will download a source that comes
+# from a unauthenticated repository
+#
+set -e
+
+TESTDIR=$(readlink -f $(dirname $0))
+. $TESTDIR/framework
+
+setupenvironment
+configarchitecture "i386"
+
+# a "normal" package with source and binary
+buildsimplenativepackage 'foo' 'all' '2.0'
+
+setupaptarchive --no-update
+
+APTARCHIVE=$(readlink -f ./aptarchive)
+rm -f $APTARCHIVE/dists/unstable/*Release*
+
+# update without authenticated InRelease file
+testsuccess aptget update
+
+# this all should fail
+testfailure aptget install -y foo
+testfailure aptget source foo
+
+# allow overriding the warning
+testsuccess aptget source --allow-unauthenticated foo
Reply to: