[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#763399: marked as done (Hardening dpkg/apt)



Your message dated Fri, 14 Aug 2015 14:55:07 +0200
with message-id <20150814125507.GA17791@crossbow>
and subject line Re: Bug#763399: Hardening dpkg/apt
has caused the Debian Bug report #763399,
regarding Hardening dpkg/apt
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
763399: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=763399
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apt
Version: all


Sometimes apt/dpkg can contain vulnerable, remotely exploitable bugs which s a big risk when used over the untrusted internet. As it happens, anyone could have been in a position to run man-in-the-middle attacks with the latest security hole [CVE-2014-6273] in apt-get. What makes this bug cripling is that updating apt to fix it would have exposed it to what the fix was supposed to rpevent, so manually downloading the package out of band was the safest option this time.

In order to drastically limit an attackers options I recommend creating a seccomp-bpf filter for apt and dpkg to limit what they can do should a weak function be remotely exploited. Other options include enabling any and all compile-time binary hardening such as PIE, RELRO, CANARY etc.


Seccomp Resources:

https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt (Kernel documentation for the feature)

http://outflux.net/teach-seccomp/ ( A guide on writing a simple filter and using error checking. Note that seccomp supports whitelists which can make it easier, you simply allow only the bear minimum of safe syscalls needed to make curl function).
--- End Message ---
--- Begin Message ---
Version: 1.1~exp1

Hi,

On Wed, Oct 01, 2014 at 02:44:56PM +0200, Michael Vogt wrote:
> All hardening except for PIE and ld -z are currently enabled, these
> two will be enabled with the next upload (probably in experimental
> first).

Done.

> We do want to go further and protect the downloaders but there is some
> more work involved here, we need to move the proxy auto-detection out
> of the acquire method first but once that is done, we can further lock
> down the downloader code.

Kinda done (as this is open ended). Most methods switch now to our new
unprivileged user _apt before talking to the network, which helps in
preventing breaking out of them and getting root rights. It also
prevents them from reading/writing arbitrary files…

> Help with this effort is of course very welcome :) !

… but there is always more we can and should do. Just that an open ended
bugreport isn't going to help in this. I am therefore closing this
bugreport and encourage instead to discuss specific ideas and issues on
the list and/or in new bugreports – preferable with a patch :)


Best regards

David Kalnischkies

Attachment: signature.asc
Description: Digital signature


--- End Message ---

Reply to: