[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#749795: marked as done (apt: CVE-2014-0478: no authentication checks for source packages)

Your message dated Thu, 12 Jun 2014 17:48:44 +0000
with message-id <E1Wv97E-0006tv-Ai@franck.debian.org>
and subject line Bug#749795: fixed in apt 0.8.10.3+squeeze2
has caused the Debian Bug report #749795,
regarding apt: CVE-2014-0478: no authentication checks for source packages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
749795: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749795
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apt
Version: 1.0.3
Severity: grave
Tags: security
I've been investigating how apt behaves when the repository doesn't contain any Release signatures (possibly because they were stripped off by a man-in-the-middle attacker). 

This is what I found out:

| # cat /etc/apt/sources.list
| deb http://ftp.debian.org/debian/ unstable main
| deb-src http://ftp.debian.org/debian/ unstable main
|
| # apt-get update
| Ign http://ftp.debian.org unstable InRelease
| Ign http://ftp.debian.org unstable Release.gpg
| Get:1 http://ftp.debian.org unstable Release [205 kB]
| Get:2 http://ftp.debian.org unstable/main Sources [7249 kB]
| Get:3 http://ftp.debian.org unstable/main amd64 Packages [6758 kB]
| Fetched 14.2 MB in 29s (479 kB/s)
| Reading package lists... Done
|
| # echo $?
| 0
Hmm. There is no warning suggesting that anything fishy is going on, and the exit code indicates success. (Perhaps the "Ign"s could raise suspicion of an observant sysadmin. But who knows what "Ign" exactly means? At least the apt-get(1) manpage doesn't know.) 

Fortunately, apt-get won't let you install anything:

| # apt-get install -qq nyancat
| WARNING: The following packages cannot be authenticated!
|   nyancat
| E: There are problems and -y was used without --force-yes

And it won't let you even download binary packages:

| $ apt-get download nyancat
| WARNING: The following packages cannot be authenticated!
|   nyancat
| E: Some packages could not be authenticated
So far, so good. However, apt-get happily downloads unauthenticated source packages, with no warning: 

| $ apt-get source -d nyancat
| Reading package lists... Done
| Building dependency tree
| Reading state information... Done
| Selected version '1.2.2-1' (unstable) for nyancat
| Need to get 20.6 kB of source archives.
| Get:1 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (dsc) [1782 B]
| Get:2 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (tar) [14.1 kB]
| Get:3 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (diff) [4748 B]
| Fetched 20.6 kB in 0s (1838 kB/s)
| Download complete and in download only mode
|
| $ echo $?
| 0

It is equally happy to unpack them:

| $ apt-get source nyancat
| Reading package lists... Done
| Building dependency tree
| Reading state information... Done
| Selected version '1.2.2-1' (unstable) for nyancat
| Need to get 20.6 kB of source archives.
| Get:1 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (dsc) [1782 B]
| Get:2 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (tar) [14.1 kB]
| Get:3 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (diff) [4748 B]
| Fetched 20.6 kB in 0s (1637 kB/s)
| gpgv: keyblock resource `/home/jwilk/.gnupg/trustedkeys.gpg': file open error
| gpgv: Signature made Fri Dec 13 23:42:11 2013 CET using RSA key ID 37AD3296
| gpgv: Can't check signature: public key not found
| dpkg-source: warning: failed to verify signature on ./nyancat_1.2.2-1.dsc
| dpkg-source: info: extracting nyancat in nyancat-1.2.2
| dpkg-source: info: unpacking nyancat_1.2.2.orig.tar.gz
| dpkg-source: info: unpacking nyancat_1.2.2-1.debian.tar.gz
| dpkg-source: info: applying 01-nyancat-debhelper.patch
|
| $ echo $?
| 0

And it will even let you build them:

| $ apt-get source -b nyancat
| Reading package lists... Done
| Building dependency tree
| Reading state information... Done
| Selected version '1.2.2-1' (unstable) for nyancat
| Need to get 20.6 kB of source archives.
| Get:1 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (dsc) [1782 B]
| Get:2 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (tar) [14.1 kB]
| Get:3 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (diff) [4748 B]
| Fetched 20.6 kB in 0s (1757 kB/s)
| gpgv: keyblock resource `/home/jwilk/.gnupg/trustedkeys.gpg': file open error
| gpgv: Signature made Fri Dec 13 23:42:11 2013 CET using RSA key ID 37AD3296
| gpgv: Can't check signature: public key not found
| dpkg-source: warning: failed to verify signature on ./nyancat_1.2.2-1.dsc
| dpkg-source: info: extracting nyancat in nyancat-1.2.2
| dpkg-source: info: unpacking nyancat_1.2.2.orig.tar.gz
| dpkg-source: info: unpacking nyancat_1.2.2-1.debian.tar.gz
| dpkg-source: info: applying 01-nyancat-debhelper.patch
| dpkg-buildpackage: source package nyancat
| dpkg-buildpackage: source version 1.2.2-1
| dpkg-buildpackage: source distribution unstable
| dpkg-buildpackage: source changed by Jonathan McCrohan <jmccrohan@gmail.com>
| dpkg-buildpackage: host architecture amd64
|  dpkg-source --before-build nyancat-1.2.2
|  fakeroot debian/rules clean
[...]

The mitmproxy script I used for testing is attached.

-- System Information:
Debian Release: jessie/sid
 APT prefers unstable
 APT policy: (990, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-1-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt depends on:
ii  debian-archive-keyring  2012.4
ii  gnupg                   1.4.16-1.1
ii  libapt-pkg4.12          1.0.3
ii  libc6                   2.18-7
ii  libgcc1                 1:4.9.0-5
ii  libstdc++6              4.9.0-5

--
Jakub Wilk

# Usage: mitmdump -e -s /path/to/nosigs.py

from libmproxy.flow import Response
from netlib.odict import ODictCaseless

def request(context, flow):
    if flow.request.path.endswith(('/Release.gpg', '/InRelease')):
        # Signatures? We ain't got no signatures. We don't need no signatures!
        # I don't have to show you any stinkin' signatures!
        resp = Response(flow.request,
            (1, 1),
            404, 'Not Found',
            ODictCaseless(),
            '',
            None,
            1,
        )
        flow.request.reply(resp)

# vim:ts=4 sw=4 et

--- End Message ---
--- Begin Message --- 
Source: apt
Source-Version: 0.8.10.3+squeeze2

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 749795@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 12 Jun 2014 14:30:59 +0200
Source: apt
Binary: apt apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all amd64
Version: 0.8.10.3+squeeze2
Distribution: squeeze-lts
Urgency: high
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description: 
 apt        - Advanced front-end for dpkg
 apt-doc    - Documentation for APT
 apt-transport-https - APT https transport
 apt-utils  - APT utility programs
 libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - Documentation for APT development
Closes: 749795
Changes: 
 apt (0.8.10.3+squeeze2) squeeze-lts; urgency=high
 .
   * SECURITY UPDATE: apt-get source validation (closes: #749795)
     - CVE-2014-0478
   * SECURITY UPDATE: sensitive information disclosure via incorrect
     hostname validation (LP: #868353)
     - methods/https.cc: properly set CURLOPT_SSL_VERIFYHOST.
     - CVE-2011-3634
Checksums-Sha1: 
 eac6d7afdc9913e918c226c484f32450b8bf1125 1643 apt_0.8.10.3+squeeze2.dsc
 b08a7fde701111f12c4c93065ae1ea83627e24c2 3148430 apt_0.8.10.3+squeeze2.tar.gz
 5d1a4c81d0b2c54227952e73ae9248e052a26e16 235592 apt-doc_0.8.10.3+squeeze2_all.deb
 fb86248e760cf453658988237b454a9d8b745ba2 694130 libapt-pkg-doc_0.8.10.3+squeeze2_all.deb
 8f875323dd04ae2dca2db521490b24a60d7cdc5d 2183396 apt_0.8.10.3+squeeze2_amd64.deb
 8162afbed8d101c9538aff8d6892d6e9b6d92882 151120 libapt-pkg-dev_0.8.10.3+squeeze2_amd64.deb
 8c1218aadb87860d36507d5b305229e5a9adeb36 274288 apt-utils_0.8.10.3+squeeze2_amd64.deb
 ca73c4732c0a75ae41509357b6c55e708cf507b8 84058 apt-transport-https_0.8.10.3+squeeze2_amd64.deb
Checksums-Sha256: 
 3ec6e2f8b406bb87c766f758f5526c6d97d229d85fa980799ebca03e823fb355 1643 apt_0.8.10.3+squeeze2.dsc
 5049e40a7b9ddd8caab7860a99d4eb0688f8629bd19896c5a8e453961d14c375 3148430 apt_0.8.10.3+squeeze2.tar.gz
 685188746b24906f09a78ec6fdcef7c5770fc0255260682101815f1bdad0d742 235592 apt-doc_0.8.10.3+squeeze2_all.deb
 408539d9d8362da9d9acd8ab14411ee6d5328b0becc49cd57d642c83c925f442 694130 libapt-pkg-doc_0.8.10.3+squeeze2_all.deb
 9d97c6af65cb587509b34caf7e3cfa21fb32de107b829751be4c9a043ef7448f 2183396 apt_0.8.10.3+squeeze2_amd64.deb
 0151206e844f0a6d41d6ae99fca91b533d20852c888a4252f366f919275c7a34 151120 libapt-pkg-dev_0.8.10.3+squeeze2_amd64.deb
 6d3449b1bd787dc58a9145f07fa2787d64eb31122996e92b6844034063e9f8bf 274288 apt-utils_0.8.10.3+squeeze2_amd64.deb
 b7952017066021c5900ee2cb928f10844de54fe9b092cad68d7cbfcc12f2a3d8 84058 apt-transport-https_0.8.10.3+squeeze2_amd64.deb
Files: 
 8950d696fac7fba2d6ec5d2e4ee6ab3c 1643 admin important apt_0.8.10.3+squeeze2.dsc
 9035eeeb42a5ad4a7d0ca191b62c0b15 3148430 admin important apt_0.8.10.3+squeeze2.tar.gz
 a078195dfc1a586f869ad610c991040f 235592 doc optional apt-doc_0.8.10.3+squeeze2_all.deb
 0d7be19fe7a5a2489c53f2681c8be837 694130 doc optional libapt-pkg-doc_0.8.10.3+squeeze2_all.deb
 1390d6e23202117a5af409851a457e41 2183396 admin important apt_0.8.10.3+squeeze2_amd64.deb
 1495f46f4be1db85d89b36ae39f55400 151120 libdevel optional libapt-pkg-dev_0.8.10.3+squeeze2_amd64.deb
 83dc1cf2c8550a91445a4a9cba81dced 274288 admin important apt-utils_0.8.10.3+squeeze2_amd64.deb
 5fb8ce76ac8426e3bd41fe02246061f8 84058 admin optional apt-transport-https_0.8.10.3+squeeze2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJTmed2AAoJEFb2GnlAHawEELkH/AnEU0JlKTJGAouq3ZcE2o9o
BCrHt4iw85YxKWiiRGcZDJv585TdWxVQCafZo9F4jn555xr6ZQq+MaUYHXmE1m+e
LHxpsa3UbbMg6GddGv9g3ZJL4YEHJ4+4Ipw0BU5y/KwlCq1RB74SftbFHWmRe+Sy
pprl9IiS1n9clccpoCSxRji8IpndDPyP/+kaF0bCl6L6NAqGVYtNrMawctOfLebg
4mm2rZc2/4BPpDPOnN8UqOYqobXOL5NOhtjxop/VFC+ZdSDAnTBIWB6lB+wuXLu9
T43x+5iYTxiNyzLHOrGVMVF93/5Cg9zGqNqN3ERbEKwO6tJHyTajwsTxMT2kreA=
=dBKb
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: