[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#749795: marked as done (apt: CVE-2014-0478: no authentication checks for source packages)

Your message dated Sun, 15 Jun 2014 21:32:09 +0000
with message-id <E1WwI25-0004il-FS@franck.debian.org>
and subject line Bug#749795: fixed in apt 0.9.7.9+deb7u2
has caused the Debian Bug report #749795,
regarding apt: CVE-2014-0478: no authentication checks for source packages
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
749795: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=749795
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apt
Version: 1.0.3
Severity: grave
Tags: security
I've been investigating how apt behaves when the repository doesn't contain any Release signatures (possibly because they were stripped off by a man-in-the-middle attacker). 

This is what I found out:

| # cat /etc/apt/sources.list
| deb http://ftp.debian.org/debian/ unstable main
| deb-src http://ftp.debian.org/debian/ unstable main
|
| # apt-get update
| Ign http://ftp.debian.org unstable InRelease
| Ign http://ftp.debian.org unstable Release.gpg
| Get:1 http://ftp.debian.org unstable Release [205 kB]
| Get:2 http://ftp.debian.org unstable/main Sources [7249 kB]
| Get:3 http://ftp.debian.org unstable/main amd64 Packages [6758 kB]
| Fetched 14.2 MB in 29s (479 kB/s)
| Reading package lists... Done
|
| # echo $?
| 0
Hmm. There is no warning suggesting that anything fishy is going on, and the exit code indicates success. (Perhaps the "Ign"s could raise suspicion of an observant sysadmin. But who knows what "Ign" exactly means? At least the apt-get(1) manpage doesn't know.) 

Fortunately, apt-get won't let you install anything:

| # apt-get install -qq nyancat
| WARNING: The following packages cannot be authenticated!
|   nyancat
| E: There are problems and -y was used without --force-yes

And it won't let you even download binary packages:

| $ apt-get download nyancat
| WARNING: The following packages cannot be authenticated!
|   nyancat
| E: Some packages could not be authenticated
So far, so good. However, apt-get happily downloads unauthenticated source packages, with no warning: 

| $ apt-get source -d nyancat
| Reading package lists... Done
| Building dependency tree
| Reading state information... Done
| Selected version '1.2.2-1' (unstable) for nyancat
| Need to get 20.6 kB of source archives.
| Get:1 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (dsc) [1782 B]
| Get:2 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (tar) [14.1 kB]
| Get:3 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (diff) [4748 B]
| Fetched 20.6 kB in 0s (1838 kB/s)
| Download complete and in download only mode
|
| $ echo $?
| 0

It is equally happy to unpack them:

| $ apt-get source nyancat
| Reading package lists... Done
| Building dependency tree
| Reading state information... Done
| Selected version '1.2.2-1' (unstable) for nyancat
| Need to get 20.6 kB of source archives.
| Get:1 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (dsc) [1782 B]
| Get:2 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (tar) [14.1 kB]
| Get:3 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (diff) [4748 B]
| Fetched 20.6 kB in 0s (1637 kB/s)
| gpgv: keyblock resource `/home/jwilk/.gnupg/trustedkeys.gpg': file open error
| gpgv: Signature made Fri Dec 13 23:42:11 2013 CET using RSA key ID 37AD3296
| gpgv: Can't check signature: public key not found
| dpkg-source: warning: failed to verify signature on ./nyancat_1.2.2-1.dsc
| dpkg-source: info: extracting nyancat in nyancat-1.2.2
| dpkg-source: info: unpacking nyancat_1.2.2.orig.tar.gz
| dpkg-source: info: unpacking nyancat_1.2.2-1.debian.tar.gz
| dpkg-source: info: applying 01-nyancat-debhelper.patch
|
| $ echo $?
| 0

And it will even let you build them:

| $ apt-get source -b nyancat
| Reading package lists... Done
| Building dependency tree
| Reading state information... Done
| Selected version '1.2.2-1' (unstable) for nyancat
| Need to get 20.6 kB of source archives.
| Get:1 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (dsc) [1782 B]
| Get:2 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (tar) [14.1 kB]
| Get:3 http://ftp.debian.org/debian/ unstable/main nyancat 1.2.2-1 (diff) [4748 B]
| Fetched 20.6 kB in 0s (1757 kB/s)
| gpgv: keyblock resource `/home/jwilk/.gnupg/trustedkeys.gpg': file open error
| gpgv: Signature made Fri Dec 13 23:42:11 2013 CET using RSA key ID 37AD3296
| gpgv: Can't check signature: public key not found
| dpkg-source: warning: failed to verify signature on ./nyancat_1.2.2-1.dsc
| dpkg-source: info: extracting nyancat in nyancat-1.2.2
| dpkg-source: info: unpacking nyancat_1.2.2.orig.tar.gz
| dpkg-source: info: unpacking nyancat_1.2.2-1.debian.tar.gz
| dpkg-source: info: applying 01-nyancat-debhelper.patch
| dpkg-buildpackage: source package nyancat
| dpkg-buildpackage: source version 1.2.2-1
| dpkg-buildpackage: source distribution unstable
| dpkg-buildpackage: source changed by Jonathan McCrohan <jmccrohan@gmail.com>
| dpkg-buildpackage: host architecture amd64
|  dpkg-source --before-build nyancat-1.2.2
|  fakeroot debian/rules clean
[...]

The mitmproxy script I used for testing is attached.

-- System Information:
Debian Release: jessie/sid
 APT prefers unstable
 APT policy: (990, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-1-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt depends on:
ii  debian-archive-keyring  2012.4
ii  gnupg                   1.4.16-1.1
ii  libapt-pkg4.12          1.0.3
ii  libc6                   2.18-7
ii  libgcc1                 1:4.9.0-5
ii  libstdc++6              4.9.0-5

--
Jakub Wilk

# Usage: mitmdump -e -s /path/to/nosigs.py

from libmproxy.flow import Response
from netlib.odict import ODictCaseless

def request(context, flow):
    if flow.request.path.endswith(('/Release.gpg', '/InRelease')):
        # Signatures? We ain't got no signatures. We don't need no signatures!
        # I don't have to show you any stinkin' signatures!
        resp = Response(flow.request,
            (1, 1),
            404, 'Not Found',
            ODictCaseless(),
            '',
            None,
            1,
        )
        flow.request.reply(resp)

# vim:ts=4 sw=4 et

--- End Message ---
--- Begin Message --- 
Source: apt
Source-Version: 0.9.7.9+deb7u2

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 749795@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 12 Jun 2014 12:47:25 +0200
Source: apt
Binary: apt libapt-pkg4.12 libapt-inst1.5 apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all amd64
Version: 0.9.7.9+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description: 
 apt        - commandline package manager
 apt-doc    - documentation for APT
 apt-transport-https - https download transport for APT
 apt-utils  - package managment related utility programs
 libapt-inst1.5 - deb package format runtime library
 libapt-pkg-dev - development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - documentation for APT development
 libapt-pkg4.12 - package managment runtime library
Closes: 749795
Changes: 
 apt (0.9.7.9+deb7u2) wheezy-security; urgency=high
 .
   * SECURITY UPDATE: apt-get source validation (closes: #749795)
     - CVE-2014-0478
Checksums-Sha1: 
 cb8ceff4ac6843de5712f13597ce33eb3360ce3e 1707 apt_0.9.7.9+deb7u2.dsc
 bb1d29fa2b799868a909c822e250c14be055f763 3399785 apt_0.9.7.9+deb7u2.tar.gz
 56c78ce70c079a9d55996bcf40ddb94074e38b00 261440 apt-doc_0.9.7.9+deb7u2_all.deb
 b8ad0e3aab1f19b41bae9f402f75d5c8369ff89c 959170 libapt-pkg-doc_0.9.7.9+deb7u2_all.deb
 6606ac96a7bd3c15fe3138f3ef76bfdfcf7a107d 889796 libapt-pkg4.12_0.9.7.9+deb7u2_amd64.deb
 4d4fa4aba36e2a229e90c179e21c8039d0d4ef40 166658 libapt-inst1.5_0.9.7.9+deb7u2_amd64.deb
 f4129fda11b109122ebe300213d88c92cf2b45a7 1261084 apt_0.9.7.9+deb7u2_amd64.deb
 9ec988fcc8761c2de1b92343b87266e79ed97963 187028 libapt-pkg-dev_0.9.7.9+deb7u2_amd64.deb
 44f8ece956dbfe3f2218dead396b8890bc00cd09 377536 apt-utils_0.9.7.9+deb7u2_amd64.deb
 9a7a37335f0e9a9b010016b346a21875833f0af4 108850 apt-transport-https_0.9.7.9+deb7u2_amd64.deb
Checksums-Sha256: 
 3175904abac4645d07662035cfa97718321f6a3cf78dfa2849b34977bb24c565 1707 apt_0.9.7.9+deb7u2.dsc
 3f665cb0e1304681212a292a25fe27f8555ee344c110b7ed6dbdd636c19e8686 3399785 apt_0.9.7.9+deb7u2.tar.gz
 8b089afe469223c7b6672f266590006ff6d79ffc4f83af1f8c15b596a9aa3125 261440 apt-doc_0.9.7.9+deb7u2_all.deb
 03117d4102bc510a4f1a6efac8dead97d3827588107ba6c1e979e998f4214c44 959170 libapt-pkg-doc_0.9.7.9+deb7u2_all.deb
 89b7e28d8fef6551646760fc85e586fa3f0d5b802fd44b1168da7448acc84e8e 889796 libapt-pkg4.12_0.9.7.9+deb7u2_amd64.deb
 a57680fc959c7e25097bb70398860506e4c8c8d1fbc5b8bb5c637855cb7d8978 166658 libapt-inst1.5_0.9.7.9+deb7u2_amd64.deb
 36997b52ad31ae481ba9be17d592b6737d29cb11b1357e2061ce5fd57b2635fe 1261084 apt_0.9.7.9+deb7u2_amd64.deb
 23af5f2a03a08350538660586c97f29b986ff629b298d7ecfe7a42c2a01d9902 187028 libapt-pkg-dev_0.9.7.9+deb7u2_amd64.deb
 6c33e95f587e9a28d61fb7bf1375ec9a427636702b0cce3f7f3f030ff1193da9 377536 apt-utils_0.9.7.9+deb7u2_amd64.deb
 e7bcd8c319e71b06cdfe3ab2b6e67378b935194d2d3556dce383aa163a5dcd59 108850 apt-transport-https_0.9.7.9+deb7u2_amd64.deb
Files: 
 794d53bb8bc41c625fe3837a11fd5d17 1707 admin important apt_0.9.7.9+deb7u2.dsc
 11742f10404fca4c56669f2804af3764 3399785 admin important apt_0.9.7.9+deb7u2.tar.gz
 0cbe517179118a12386f256575a8356b 261440 doc optional apt-doc_0.9.7.9+deb7u2_all.deb
 d0b8099d4f9c5e19528d7fc655724b82 959170 doc optional libapt-pkg-doc_0.9.7.9+deb7u2_all.deb
 9437e9e1d864ece245263eca3e1cd9fd 889796 libs important libapt-pkg4.12_0.9.7.9+deb7u2_amd64.deb
 782fcd67201a92589be12b474d12c086 166658 libs important libapt-inst1.5_0.9.7.9+deb7u2_amd64.deb
 7603385c4f7f8e2bd098bd9a79878403 1261084 admin important apt_0.9.7.9+deb7u2_amd64.deb
 94278e43c53af971d570c9544792237d 187028 libdevel optional libapt-pkg-dev_0.9.7.9+deb7u2_amd64.deb
 dd8bc29f4b17c55a878b824568449a3e 377536 admin important apt-utils_0.9.7.9+deb7u2_amd64.deb
 3075898eaff96911425df6afd11c8631 108850 admin optional apt-transport-https_0.9.7.9+deb7u2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlOZybMACgkQliSD4VZixzQrOgCfe5CYzF8guEbiq/b2WhGpN7ZH
l14An3upZfD/1SZKFEjZELI9OSL4j1U8
=3WbZ
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: