Thoughts on APT architecture and hardening

To: deity@lists.debian.org
Cc: team@security.debian.org
Subject: Thoughts on APT architecture and hardening
From: Yves-Alexis Perez <corsac@debian.org>
Date: Wed, 23 Jan 2019 10:58:15 +0100
Message-id: <[🔎] 8cb919ab2fa20cd36efcc3c5319cbb32602fde5f.camel@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

following the release of fix for CVE-2019-3462, there are few things I'm
wondering about apt architecture. I'm leaving aside the http/https debate
(which I think we need to have for Buster, though), but here are my though
(especially in light of Max Justicz blog post at 
https://justi.cz/security/2019/01/22/apt-rce.html)

I didn't really know about apt architecture and the fact that fetchers are
forked. I think it's a good idea to isolate exposed workers dealing with
untrusted data (especially HTTP), but apt main process seems to trust data
coming from the workers. I'm unsure where is the boundary trust here, but if
the fetchers data is trusted, I guess workers shouldn't just copy content from
outside to inside but do a real (/complex) sanitation job before handling it
to apt?

As I understand it, the file hashes are calculated (or in this case, injected
from outside) by the worker, and not by the apt main process. Is that a good
idea?

Finally, we're again bitten by GPG drawbacks: RCE is really possible here
because gpg won't actually complain when the release file is actually also
something else. Validating the release file format might be a good idea by
itself, but it'd be nice (though out of scope for deity@) if the signature
scheme wouldn't allow such things to happen.

Those are open questions/remarks and might be naive since I don't really know
apt code, and that's why I didn't open specific bugs, but I'd be interested in
your opinion on this.

Finally, many thanks to Julian for the quick patching during the embargo.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlxIOrcACgkQ3rYcyPpX
RFuGGQgArJOPXzeoj9tX0d3NIhl4zZo9DVvkp5Z4WmT8ffpP2QOqZAGLtM/duOJ+
qMx9vBSP8iOjngbzroSCQRozd16by3LyxkXrEXFvRaV+udoFgi20QTbL2xk+Phem
qC7GiUa7ULaXaPnDznt8OdgpFbe680bWQ828NE/MNisBeutoJ3cEka4dXA2o/Hvf
RthuSLU5ZjgBMAfWiGGWr+nQzWPxs6K+JgpPUPYqPDhiUX+au7KFynbCVBJ1+Z1/
yPkT/s9mQ5pKZ10lyFCycsarjkQqkkskY977XgFVrf7NqzCft5k5nVtGgDaBwrpp
Ei/e6n0w51zEom1GTNutKpMOVy2xCA==
=WrTK
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Thoughts on APT architecture and hardening
  - From: Julian Andres Klode <jak@debian.org>
- Re: Thoughts on APT architecture and hardening
  - From: David Kalnischkies <david@kalnischkies.de>

Prev by Date: apt.conf configuration
Next by Date: Re: apt.conf configuration
Previous by thread: Re: apt.conf configuration
Next by thread: Re: Thoughts on APT architecture and hardening
Index(es):
- Date
- Thread