Bug#945911: APT leaks repository credentials

To: Florian Zumbiehl <florz@florz.de>, 945911@bugs.debian.org
Cc: submit@bugs.debian.org
Subject: Bug#945911: APT leaks repository credentials
From: Julian Andres Klode <jak@debian.org>
Date: Sat, 30 Nov 2019 23:24:43 +0100
Message-id: <[🔎] 20191130231955.GA3939523@debian.org>
Reply-to: Julian Andres Klode <jak@debian.org>, 945911@bugs.debian.org
In-reply-to: <[🔎] 20191130213629.yjq7qv6czvtcxhmp@florz.florz.de>
References: <[🔎] 20191130213629.yjq7qv6czvtcxhmp@florz.florz.de> <[🔎] 20191130213629.yjq7qv6czvtcxhmp@florz.florz.de>

Control: tag -1 moreinfo

On Sat, Nov 30, 2019 at 10:36:29PM +0100, Florian Zumbiehl wrote:
> Package: apt
> Version: 1.8.2
> Severity: critical
> 
> APT now promotes using auth.conf to store repository credentials.
> Unfortunately, the way these credentials are handled causes a confused
> deputy style problem:
> 
> The credentials to transmit for a request are selected not based on the
> host name specified in the sources.list, but rather based on the URI that
> is being requested. Thus, any repository server that APT ever makes an
> HTTP(S) request to can issue an HTTP redirect to any URI that points to any
> of the (other) servers for which credentials are stored in the auth.conf
> file, and APT will then send those credentials to whatever endpoint that is
> specified as the redirection target URI.

Yes, and why please tell, should that be a problem? That's how stuff
works. If I requests https://a/b/c and it redirects me to https://x/y/z,
I need login details for x/y/z to login.

Saying we should send the credentials for a/b/c to x/y/z does not make
a whole lot of sense.

This also assumes that you have access to the a/b/c server _and_ the
x/y/z server.

> 
> Examples for how this could be exploited are:
> 
> - The redirect could point to a different port on the server than where the
>   repository is hosted, possibly an unprivileged port where an attacker on
>   that server could be listening to receive the credentials.

I don't understand. FWIW; credentials can be limited by port, and path.

> 
> - The redirect could point to an HTTP URI to expose the credentials as
>   plain text on the wire, even where the sources.list entries for the
>   respective server point only to HTTPS URIs to protect from eavesdroppers.

HTTPS->HTTP redirects are not allowed.

> 
> - The redirect could point to an existing resource in the repository the
>   credentials are actually meant for in order to make APT download that
>   resource and then use it in a context it wasn't meant for, thus
>   potentially leaking contents of the password-protected repository.

I don't understand.


-- 
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer                              i speak de, en

Reply to:

References:
- Bug#945911: APT leaks repository credentials
  - From: Florian Zumbiehl <florz@florz.de>

Prev by Date: Processed: Re: Bug#945911: APT leaks repository credentials
Next by Date: Processed: Re: Bug#945911: APT leaks repository credentials
Previous by thread: Processed: Re: Bug#945911: APT leaks repository credentials
Next by thread: Processed: Re: Bug#945911: APT leaks repository credentials
Index(es):
- Date
- Thread