--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt: failed secure APT checks don't give errors and non-zero exit statuses in all cases
- From: Christoph Anton Mitterer <calestyo@scientia.net>
- Date: Tue, 27 Mar 2012 03:12:07 +0200
- Message-id: <20120327011207.14147.63555.reportbug@heisenberg.scientia.net>
Package: apt
Version: 0.8.15.10
Severity: important
Hi.
I did some non-systematic tests on secure APT (with partially shocking results).
The following is at least true, for the download action of apt (and I guess
therefore of aptitude, too), perhaps for other actions (and or option combinations,
in which verifications should happen, too)
It does not give an error and exit code = 0 when the verification of the downloaded
file fails.
The check seems however to actually take place, cause if I modify the hashsums
in e.g. ftp.de.debian.org_debian_dists_unstable_main_binary-amd64_Packages for
the base-files binary package and I do an:
$ apt-get download base-files
Get:1 Downloading base-files 6.7 [69,4 kB]
Fetched 69,4 kB in 0s (134 kB/s)
All I get is:
l
total 78k
drwxr-xr-x 2 calestyo calestyo 4,1k Mar 27 03:00 .
drwx------ 6 calestyo calestyo 4,1k Mar 27 02:41 ..
-rw-r--r-- 1 calestyo calestyo 70k Mar 4 01:17 base-files_6.7_amd64.deb.FAILED
Generally I think that all kinds of verification errors should be treated as (most
severe) errors (not just warnings) and that the exit status should be non-zero.
Best would be to have special exit-code, that denotes that potential security issues
occured.
In the above case, renaming the file to .FAILED may seem enough, but one can never
know how the users uses the system, and perhaps relies on failed exit statuses.
Or imagine a (though stupid) script that downloads the .deb to a temp dir and
takes the only file of that dir (regardless of the .FAILED) and e.g. installs it.
I mean this would be badly written code, but we really should try to protect even
such cases, especailly when this is easily possible.
Cheers,
Chris.
btw: Perhaps someone can explain this:
I traced the process and get the following:
stat("/var/lib/apt/lists/ftp.de.debian.org_debian_dists_unstable_Release.gpg", 0x7fff750b4670) = -1 ENOENT (No such file or directory)
stat("/var/lib/apt/lists/_srv_local-package-archive_dists_unstable_Release.gpg", {st_mode=S_IFREG|0644, st_size=836, ...}) = 0
So while there is a Release.gpg for my local archive, there is none for Debian's.
Why and is this a security problem?
--- End Message ---
--- Begin Message ---
- To: Christoph Anton Mitterer <calestyo@scientia.net>, 665920-done@bugs.debian.org
- Subject: Re: Bug#665920: apt: failed secure APT checks don't give errors and non-zero exit statuses in all cases
- From: Julian Andres Klode <jak@debian.org>
- Date: Fri, 14 Aug 2015 15:36:15 +0200
- Message-id: <20150814153533.GA31099@debian.org>
- In-reply-to: <20120327011207.14147.63555.reportbug@heisenberg.scientia.net>
- References: <20120327011207.14147.63555.reportbug@heisenberg.scientia.net>
On Tue, Mar 27, 2012 at 03:12:07AM +0200, Christoph Anton Mitterer wrote:
> Package: apt
> Version: 0.8.15.10
> Severity: important
>
>
> Hi.
>
> I did some non-systematic tests on secure APT (with partially shocking results).
>
> The following is at least true, for the download action of apt (and I guess
> therefore of aptitude, too), perhaps for other actions (and or option combinations,
> in which verifications should happen, too)
>
> It does not give an error and exit code = 0 when the verification of the downloaded
> file fails.
>
>
It exits with 100 in sid and experimental now.
--
Julian Andres Klode - Debian Developer, Ubuntu Member
See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
Be friendly, do not top-post, and follow RFC 1855 "Netiquette".
- If you don't I might ignore you.
--- End Message ---