--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt: no authentication checks for source packages
- From: Jakub Wilk <jwilk@debian.org>
- Date: Thu, 29 May 2014 23:04:35 +0200
- Message-id: <20140529210434.GA3935@jwilk.net>
Package: apt
Version: 1.0.3
Severity: grave
Tags: security
I've been investigating how apt behaves when the repository doesn't
contain any Release signatures (possibly because they were stripped off
by a man-in-the-middle attacker).
This is what I found out:
| # cat /etc/apt/sources.list
| deb http://ftp.debian.org/debian/ unstable main
| deb-src http://ftp.debian.org/debian/ unstable main
|
| # apt-get update
| Ign http://ftp.debian.org unstable InRelease
| Ign http://ftp.debian.org unstable Release.gpg
| Get:1 http://ftp.debian.org unstable Release [205 kB]
| Get:2 http://ftp.debian.org unstable/main Sources [7249 kB]
| Get:3 http://ftp.debian.org unstable/main amd64 Packages [6758 kB]
| Fetched 14.2 MB in 29s (479 kB/s)
| Reading package lists... Done
|
| # echo $?
| 0
Hmm. There is no warning suggesting that anything fishy is going on, and
the exit code indicates success. (Perhaps the "Ign"s could raise
suspicion of an observant sysadmin. But who knows what "Ign" exactly
means? At least the apt-get(1) manpage doesn't know.)
Fortunately, apt-get won't let you install anything:
| # apt-get install -qq nyancat
| WARNING: The following packages cannot be authenticated!
| nyancat
| E: There are problems and -y was used without --force-yes
And it won't let you even download binary packages:
| $ apt-get download nyancat
| WARNING: The following packages cannot be authenticated!
| nyancat
| E: Some packages could not be authenticated
So far, so good. However, apt-get happily downloads unauthenticated
source packages, with no warning:
| $ apt-get source -d nyancat
| Reading package lists... Done
| Building dependency tree
| Reading state information... Done
| Selected version '1.2.2-1' (unstable) for nyancat
| Need to get 20.6 kB of source archives.
| Get:1 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (dsc) [1782 B]
| Get:2 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (tar) [14.1 kB]
| Get:3 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (diff) [4748 B]
| Fetched 20.6 kB in 0s (1838 kB/s)
| Download complete and in download only mode
|
| $ echo $?
| 0
It is equally happy to unpack them:
| $ apt-get source nyancat
| Reading package lists... Done
| Building dependency tree
| Reading state information... Done
| Selected version '1.2.2-1' (unstable) for nyancat
| Need to get 20.6 kB of source archives.
| Get:1 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (dsc) [1782 B]
| Get:2 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (tar) [14.1 kB]
| Get:3 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (diff) [4748 B]
| Fetched 20.6 kB in 0s (1637 kB/s)
| gpgv: keyblock resource `/home/jwilk/.gnupg/trustedkeys.gpg': file open error
| gpgv: Signature made Fri Dec 13 23:42:11 2013 CET using RSA key ID 37AD3296
| gpgv: Can't check signature: public key not found
| dpkg-source: warning: failed to verify signature on ./nyancat_1.2.2-1.dsc
| dpkg-source: info: extracting nyancat in nyancat-1.2.2
| dpkg-source: info: unpacking nyancat_1.2.2.orig.tar.gz
| dpkg-source: info: unpacking nyancat_1.2.2-1.debian.tar.gz
| dpkg-source: info: applying 01-nyancat-debhelper.patch
|
| $ echo $?
| 0
And it will even let you build them:
| $ apt-get source -b nyancat
| Reading package lists... Done
| Building dependency tree
| Reading state information... Done
| Selected version '1.2.2-1' (unstable) for nyancat
| Need to get 20.6 kB of source archives.
| Get:1 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (dsc) [1782 B]
| Get:2 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (tar) [14.1 kB]
| Get:3 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (diff) [4748 B]
| Fetched 20.6 kB in 0s (1757 kB/s)
| gpgv: keyblock resource `/home/jwilk/.gnupg/trustedkeys.gpg': file open error
| gpgv: Signature made Fri Dec 13 23:42:11 2013 CET using RSA key ID 37AD3296
| gpgv: Can't check signature: public key not found
| dpkg-source: warning: failed to verify signature on ./nyancat_1.2.2-1.dsc
| dpkg-source: info: extracting nyancat in nyancat-1.2.2
| dpkg-source: info: unpacking nyancat_1.2.2.orig.tar.gz
| dpkg-source: info: unpacking nyancat_1.2.2-1.debian.tar.gz
| dpkg-source: info: applying 01-nyancat-debhelper.patch
| dpkg-buildpackage: source package nyancat
| dpkg-buildpackage: source version 1.2.2-1
| dpkg-buildpackage: source distribution unstable
| dpkg-buildpackage: source changed by Jonathan McCrohan <jmccrohan@gmail.com>
| dpkg-buildpackage: host architecture amd64
| dpkg-source --before-build nyancat-1.2.2
| fakeroot debian/rules clean
[...]
The mitmproxy script I used for testing is attached.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (990, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-1-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages apt depends on:
ii debian-archive-keyring 2012.4
ii gnupg 1.4.16-1.1
ii libapt-pkg4.12 1.0.3
ii libc6 2.18-7
ii libgcc1 1:4.9.0-5
ii libstdc++6 4.9.0-5
--
Jakub Wilk
# Usage: mitmdump -e -s /path/to/nosigs.py
from libmproxy.flow import Response
from netlib.odict import ODictCaseless
def request(context, flow):
if flow.request.path.endswith(('/Release.gpg', '/InRelease')):
# Signatures? We ain't got no signatures. We don't need no signatures!
# I don't have to show you any stinkin' signatures!
resp = Response(flow.request,
(1, 1),
404, 'Not Found',
ODictCaseless(),
'',
None,
1,
)
flow.request.reply(resp)
# vim:ts=4 sw=4 et
--- End Message ---
--- Begin Message ---
Source: apt
Source-Version: 0.8.10.3+squeeze2
We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 749795@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 12 Jun 2014 14:30:59 +0200
Source: apt
Binary: apt apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all amd64
Version: 0.8.10.3+squeeze2
Distribution: squeeze-lts
Urgency: high
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description:
apt - Advanced front-end for dpkg
apt-doc - Documentation for APT
apt-transport-https - APT https transport
apt-utils - APT utility programs
libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
libapt-pkg-doc - Documentation for APT development
Closes: 749795
Changes:
apt (0.8.10.3+squeeze2) squeeze-lts; urgency=high
.
* SECURITY UPDATE: apt-get source validation (closes: #749795)
- CVE-2014-0478
* SECURITY UPDATE: sensitive information disclosure via incorrect
hostname validation (LP: #868353)
- methods/https.cc: properly set CURLOPT_SSL_VERIFYHOST.
- CVE-2011-3634
Checksums-Sha1:
eac6d7afdc9913e918c226c484f32450b8bf1125 1643 apt_0.8.10.3+squeeze2.dsc
b08a7fde701111f12c4c93065ae1ea83627e24c2 3148430 apt_0.8.10.3+squeeze2.tar.gz
5d1a4c81d0b2c54227952e73ae9248e052a26e16 235592 apt-doc_0.8.10.3+squeeze2_all.deb
fb86248e760cf453658988237b454a9d8b745ba2 694130 libapt-pkg-doc_0.8.10.3+squeeze2_all.deb
8f875323dd04ae2dca2db521490b24a60d7cdc5d 2183396 apt_0.8.10.3+squeeze2_amd64.deb
8162afbed8d101c9538aff8d6892d6e9b6d92882 151120 libapt-pkg-dev_0.8.10.3+squeeze2_amd64.deb
8c1218aadb87860d36507d5b305229e5a9adeb36 274288 apt-utils_0.8.10.3+squeeze2_amd64.deb
ca73c4732c0a75ae41509357b6c55e708cf507b8 84058 apt-transport-https_0.8.10.3+squeeze2_amd64.deb
Checksums-Sha256:
3ec6e2f8b406bb87c766f758f5526c6d97d229d85fa980799ebca03e823fb355 1643 apt_0.8.10.3+squeeze2.dsc
5049e40a7b9ddd8caab7860a99d4eb0688f8629bd19896c5a8e453961d14c375 3148430 apt_0.8.10.3+squeeze2.tar.gz
685188746b24906f09a78ec6fdcef7c5770fc0255260682101815f1bdad0d742 235592 apt-doc_0.8.10.3+squeeze2_all.deb
408539d9d8362da9d9acd8ab14411ee6d5328b0becc49cd57d642c83c925f442 694130 libapt-pkg-doc_0.8.10.3+squeeze2_all.deb
9d97c6af65cb587509b34caf7e3cfa21fb32de107b829751be4c9a043ef7448f 2183396 apt_0.8.10.3+squeeze2_amd64.deb
0151206e844f0a6d41d6ae99fca91b533d20852c888a4252f366f919275c7a34 151120 libapt-pkg-dev_0.8.10.3+squeeze2_amd64.deb
6d3449b1bd787dc58a9145f07fa2787d64eb31122996e92b6844034063e9f8bf 274288 apt-utils_0.8.10.3+squeeze2_amd64.deb
b7952017066021c5900ee2cb928f10844de54fe9b092cad68d7cbfcc12f2a3d8 84058 apt-transport-https_0.8.10.3+squeeze2_amd64.deb
Files:
8950d696fac7fba2d6ec5d2e4ee6ab3c 1643 admin important apt_0.8.10.3+squeeze2.dsc
9035eeeb42a5ad4a7d0ca191b62c0b15 3148430 admin important apt_0.8.10.3+squeeze2.tar.gz
a078195dfc1a586f869ad610c991040f 235592 doc optional apt-doc_0.8.10.3+squeeze2_all.deb
0d7be19fe7a5a2489c53f2681c8be837 694130 doc optional libapt-pkg-doc_0.8.10.3+squeeze2_all.deb
1390d6e23202117a5af409851a457e41 2183396 admin important apt_0.8.10.3+squeeze2_amd64.deb
1495f46f4be1db85d89b36ae39f55400 151120 libdevel optional libapt-pkg-dev_0.8.10.3+squeeze2_amd64.deb
83dc1cf2c8550a91445a4a9cba81dced 274288 admin important apt-utils_0.8.10.3+squeeze2_amd64.deb
5fb8ce76ac8426e3bd41fe02246061f8 84058 admin optional apt-transport-https_0.8.10.3+squeeze2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJTmed2AAoJEFb2GnlAHawEELkH/AnEU0JlKTJGAouq3ZcE2o9o
BCrHt4iw85YxKWiiRGcZDJv585TdWxVQCafZo9F4jn555xr6ZQq+MaUYHXmE1m+e
LHxpsa3UbbMg6GddGv9g3ZJL4YEHJ4+4Ipw0BU5y/KwlCq1RB74SftbFHWmRe+Sy
pprl9IiS1n9clccpoCSxRji8IpndDPyP/+kaF0bCl6L6NAqGVYtNrMawctOfLebg
4mm2rZc2/4BPpDPOnN8UqOYqobXOL5NOhtjxop/VFC+ZdSDAnTBIWB6lB+wuXLu9
T43x+5iYTxiNyzLHOrGVMVF93/5Cg9zGqNqN3ERbEKwO6tJHyTajwsTxMT2kreA=
=dBKb
-----END PGP SIGNATURE-----
--- End Message ---