Bug#724744: marked as done ('apt-get source' does not stop if signatures can't be checked)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 05 Jan 2017 21:03:45 +0000
with message-id <E1cPFCL-00084z-7K@fasolo.debian.org>
and subject line Bug#724744: fixed in apt 1.4~beta3
has caused the Debian Bug report #724744,
regarding 'apt-get source' does not stop if signatures can't be checked
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
724744: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=724744
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: 'apt-get source' does not stop if signatures can't be checked
• From: Eduard - Gabriel Munteanu <edgmnt@gmail.com>
• Date: Fri, 27 Sep 2013 15:05:11 +0300
• Message-id: <20130927120511.GA3406@home>

Package: apt
Version: 0.9.7.9
Severity: grave
Tags: security

Source packages are signed, therefore it's fair to expect 'apt-get
source' to enforce signature verification. But it merely prints a
warning and continues if it can't check a signature because of a missing
key (e.g. when you forgot to install the developer keyring). This seems
to be caused by dpkg-source needing the --require-valid-signature option 
to enable strict checking (*).

Freenode's #debian suggested I should file a bug on 'apt' since it's the
frontend, and set a 'wishlist' severity. However I decided to give it a
'grave' severity because Debian policy says that's appropriate when a
package introduces a command that exposes the user accounts to attacks
when ran ( http://release.debian.org/stable/rc_policy.txt ). I'm hoping
this gets treated more seriously than 'wishlist' (**).

The security hole in this case involves introducing a compromised source
package on a Debian mirror. Then apt will happily take it, unpack it,
patch stuff and possibly execute arbitrary code from it, without
quitting if it can't check signatures. It breaks the reasonable
assumption that the package manager will check source package signatures
for official packages just as it checks binary packages.

(*) I'd also argue --require-valid-signature is an incredibly poor
default in itself, and that's what should be fixed. It essentially makes
security a long option to a core Debian command and it's off by default.

(**) I should remind you my somewhat related #722906 issue on downloads
being exceedingly difficult to check correctly from non-Debian machines
also got a 'wishlist' status (initially 'important' and not tagged as a
security issue) and had its subject change to something more benign.
I'm hoping my report was misunderstood.

--- End Message ---

--- Begin Message ---

• To: 724744-close@bugs.debian.org
• Subject: Bug#724744: fixed in apt 1.4~beta3
• From: Julian Andres Klode <jak@debian.org>
• Date: Thu, 05 Jan 2017 21:03:45 +0000
• Message-id: <E1cPFCL-00084z-7K@fasolo.debian.org>

Source: apt
Source-Version: 1.4~beta3

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 724744@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 05 Jan 2017 20:50:01 +0100
Source: apt
Binary: apt libapt-pkg5.0 libapt-inst2.0 apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source
Version: 1.4~beta3
Distribution: unstable
Urgency: medium
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Julian Andres Klode <jak@debian.org>
Description:
 apt        - commandline package manager
 apt-doc    - documentation for APT
 apt-transport-https - https download transport for APT
 apt-utils  - package management related utility programs
 libapt-inst2.0 - deb package format runtime library
 libapt-pkg-dev - development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - documentation for APT development
 libapt-pkg5.0 - package management runtime library
Closes: 440057 709092 724744 813786 845775 845969 846514 849235
Changes:
 apt (1.4~beta3) unstable; urgency=medium
 .
   [ Lukasz Kawczynski ]
   * Honour Acquire::ForceIPv4/6 in the https transport
 .
   [ David Kalnischkies ]
   * reword "Can't drop priv" warning message (Closes: #813786) (LP: #1522675)
   * let {dsc,tar,diff}-only implicitly enable download-only
   * remove needless fork() in apt-get source
   * default to --no-check for dpkg-source call (Closes: 724744)
   * warn if clearsigned file has ignored content parts
   * ensure generation of valid EDSP error stanzas
   * add --indep-only for build-dep command (Closes: #845775)
   * allow default build-essentials to be overridden
   * expand -f to --fix-broken in error messages.
     Thanks to Kristian Glass for initial patch! (Closes: #709092)
   * separating state variables regarding server/request (Closes: #440057)
   * fix minimum pkgs option for dpkg --recursive usage
   * allow warning generation for non-whitelisted options
 .
   [ Oriol Debian ]
   * Catalan program translation update (Closes: #846514)
 .
   [ Frans Spiesschaert ]
   * Dutch manpages translation update (Closes: #849235)
 .
   [ Niels Thykier ]
   * ParseDepends: Support passing the desired architecture (Closes: #845969)
Checksums-Sha1:
 79cec732b9721a4a3ba432ba491346c760791344 2565 apt_1.4~beta3.dsc
 13b1b47165d69252810c6f84ae0019c7554c5640 2061292 apt_1.4~beta3.tar.xz
Checksums-Sha256:
 04428e7fbb0887bafe598ec5ad0589b757b2956c622a8aa638ed5f8a956a1c08 2565 apt_1.4~beta3.dsc
 f721b03fa3f8a2013fdd0f42312f765143ccc98f0f0c07fb4c78d82794314ea4 2061292 apt_1.4~beta3.tar.xz
Files:
 01076a1136405b99601664e190cda817 2565 admin important apt_1.4~beta3.dsc
 e43e896bc4c7a1e8e40d67804ad3410f 2061292 admin important apt_1.4~beta3.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEzeVhi4gF/W4gLOnC1zw55WWAs4YFAlhupD4PHGpha0BkZWJp
YW4ub3JnAAoJENc8OeVlgLOGn/4P/jqzBcEyOLCCsGXesOJ6Gur8TjO1yfpVydy0
jboAF7O11sgEDsVHSMfVeIvIK/CCqPo9D9aSfaKmGxxeg6w2LiPvyGZzw8eOAyFo
3hZQTqKIoM31AaPPRoGJRWJR5k95Mh+NtQHbWxsXVFP7AF/FUQ6xQn6PrciiHGR8
8VYIZ3v2Ev/Qs4qKcMbedyy3ePZdVrLDbROdVOtI+XZnoxLY7O5BjFkbc4jEMtxE
1gbkdLxxKj/+y+Ofc6wfXYjuzct5mJyfXO3gWYMisEdbr+vTifEDqzCr8c7UQwZI
FHkEG+/0EYiVslPcpY8soDsQ3KnNcSpRsEj4/0afspVEfvuyFX5UIKRTeKoK6Y+z
iG4orZkOAxRtkejDihdYFkhPUX1LOdFpK6R9BJ25liZI19+1L12maTDUEyJ5PqOO
aUXRne3/rVVeSee1BkzjrHSPb9rRoPukVBCKhxVwMwljK1efOcTltVON0YCYDlJZ
+fWusVjNFwLARuU2Ut+VCWuHLD6h7nmNZ1n8mupnWKbYk5SUr0QATQKy04E6uJIE
+OApCwvne2EZWRRrrHKKVCbxFqB+kpFIISLtKlB/MlUvDndOivKfceDGd/TWwrT0
+hcbzjKF3O7pnmUJfT9HVjpxy+QkyI4Zg7gj2YiSEXbNIpnzD5xW5KLYnL1vY9aY
FOEB4RuH
=RM2y
-----END PGP SIGNATURE-----

--- End Message ---