Bug#977994: marked as done (apt: Output from sandboxed methods should not be trusted)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 28 Dec 2020 12:47:48 +0100
with message-id <20201228114748.vfypx2dssletj3a6@crossbow>
and subject line Re: Bug#977994: apt: Output from sandboxed methods should not be trusted
has caused the Debian Bug report #977994,
regarding apt: Output from sandboxed methods should not be trusted
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
977994: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977994
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apt: Output from sandboxed methods should not be trusted
• From: "Demi M. Obenour" <demiobenour@gmail.com>
• Date: Wed, 23 Dec 2020 20:00:59 -0500
• Message-id: <[🔎] 160877165940.903.13427683846101462195.reportbug@localhost>

Package: apt
Version: 1.8.2.2
Severity: important

Dear Maintainer,

As far as I can tell, APT still trusts the output of its methods.  This
means that while they are sandboxed in theory, this sandbox is trivially
escapable in practice.

This would be Severity: critical except that no vulnerability in the
respective methods is known.  Nevertheless, this is what made
CVE-2019-3462 a devastating remote code execution vulnerability, rather
than a minor annoyance.

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "amd64";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Install-Recommends "1";
APT::Install-Suggests "0";
APT::Sandbox "";
APT::Sandbox::User "_apt";
APT::Sandbox::Seccomp "1";
APT::NeverAutoRemove "";
APT::NeverAutoRemove:: "^firmware-linux.*";
APT::NeverAutoRemove:: "^linux-firmware$";
APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*$";
APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*-[a-z0-9]*$";
APT::NeverAutoRemove:: "^linux-image-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^linux-image-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^linux-image-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^linux-headers-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^linux-headers-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^linux-headers-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^linux-image-extra-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^linux-image-extra-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^linux-image-extra-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^linux-modules-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^linux-modules-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^linux-modules-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^linux-modules-extra-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^linux-modules-extra-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^linux-modules-extra-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^linux-signed-image-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^linux-signed-image-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^linux-signed-image-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^linux-image-unsigned-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^linux-image-unsigned-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^linux-image-unsigned-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^kfreebsd-image-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^kfreebsd-image-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^kfreebsd-image-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^kfreebsd-headers-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^kfreebsd-headers-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^kfreebsd-headers-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^gnumach-image-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^gnumach-image-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^gnumach-image-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^.*-modules-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^.*-modules-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^.*-modules-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^.*-kernel-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^.*-kernel-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^.*-kernel-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^linux-backports-modules-.*-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^linux-backports-modules-.*-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^linux-backports-modules-.*-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^linux-modules-.*-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^linux-modules-.*-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^linux-modules-.*-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^linux-tools-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^linux-tools-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^linux-tools-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^linux-cloud-tools-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^linux-cloud-tools-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^linux-cloud-tools-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^linux-buildinfo-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^linux-buildinfo-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^linux-buildinfo-5\.4\.80-1\.qubes\.x86_64$";
APT::NeverAutoRemove:: "^linux-source-4\.19\.0-12-amd64$";
APT::NeverAutoRemove:: "^linux-source-4\.19\.0-13-amd64$";
APT::NeverAutoRemove:: "^linux-source-5\.4\.80-1\.qubes\.x86_64$";
APT::VersionedKernelPackages "";
APT::VersionedKernelPackages:: "linux-image";
APT::VersionedKernelPackages:: "linux-headers";
APT::VersionedKernelPackages:: "linux-image-extra";
APT::VersionedKernelPackages:: "linux-modules";
APT::VersionedKernelPackages:: "linux-modules-extra";
APT::VersionedKernelPackages:: "linux-signed-image";
APT::VersionedKernelPackages:: "linux-image-unsigned";
APT::VersionedKernelPackages:: "kfreebsd-image";
APT::VersionedKernelPackages:: "kfreebsd-headers";
APT::VersionedKernelPackages:: "gnumach-image";
APT::VersionedKernelPackages:: ".*-modules";
APT::VersionedKernelPackages:: ".*-kernel";
APT::VersionedKernelPackages:: "linux-backports-modules-.*";
APT::VersionedKernelPackages:: "linux-modules-.*";
APT::VersionedKernelPackages:: "linux-tools";
APT::VersionedKernelPackages:: "linux-cloud-tools";
APT::VersionedKernelPackages:: "linux-buildinfo";
APT::VersionedKernelPackages:: "linux-source";
APT::Never-MarkAuto-Sections "";
APT::Never-MarkAuto-Sections:: "metapackages";
APT::Never-MarkAuto-Sections:: "contrib/metapackages";
APT::Never-MarkAuto-Sections:: "non-free/metapackages";
APT::Never-MarkAuto-Sections:: "restricted/metapackages";
APT::Never-MarkAuto-Sections:: "universe/metapackages";
APT::Never-MarkAuto-Sections:: "multiverse/metapackages";
APT::Move-Autobit-Sections "";
APT::Move-Autobit-Sections:: "oldlibs";
APT::Move-Autobit-Sections:: "contrib/oldlibs";
APT::Move-Autobit-Sections:: "non-free/oldlibs";
APT::Move-Autobit-Sections:: "restricted/oldlibs";
APT::Move-Autobit-Sections:: "universe/oldlibs";
APT::Move-Autobit-Sections:: "multiverse/oldlibs";
APT::Update "";
APT::Update::Post-Invoke-Success "";
APT::Update::Post-Invoke-Success:: "/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && /usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo > /dev/null";
APT::Periodic "";
APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::AutocleanInterval "0";
APT::Periodic::Unattended-Upgrade "0";
APT::Periodic::Enable "0";
APT::Architectures "";
APT::Architectures:: "amd64";
APT::Compressor "";
APT::Compressor::. "";
APT::Compressor::.::Name ".";
APT::Compressor::.::Extension "";
APT::Compressor::.::Binary "";
APT::Compressor::.::Cost "0";
APT::Compressor::zstd "";
APT::Compressor::zstd::Name "zstd";
APT::Compressor::zstd::Extension ".zst";
APT::Compressor::zstd::Binary "false";
APT::Compressor::zstd::Cost "60";
APT::Compressor::lz4 "";
APT::Compressor::lz4::Name "lz4";
APT::Compressor::lz4::Extension ".lz4";
APT::Compressor::lz4::Binary "false";
APT::Compressor::lz4::Cost "50";
APT::Compressor::gzip "";
APT::Compressor::gzip::Name "gzip";
APT::Compressor::gzip::Extension ".gz";
APT::Compressor::gzip::Binary "gzip";
APT::Compressor::gzip::Cost "100";
APT::Compressor::gzip::CompressArg "";
APT::Compressor::gzip::CompressArg:: "-6n";
APT::Compressor::gzip::UncompressArg "";
APT::Compressor::gzip::UncompressArg:: "-d";
APT::Compressor::xz "";
APT::Compressor::xz::Name "xz";
APT::Compressor::xz::Extension ".xz";
APT::Compressor::xz::Binary "xz";
APT::Compressor::xz::Cost "200";
APT::Compressor::xz::CompressArg "";
APT::Compressor::xz::CompressArg:: "-6";
APT::Compressor::xz::UncompressArg "";
APT::Compressor::xz::UncompressArg:: "-d";
APT::Compressor::bzip2 "";
APT::Compressor::bzip2::Name "bzip2";
APT::Compressor::bzip2::Extension ".bz2";
APT::Compressor::bzip2::Binary "bzip2";
APT::Compressor::bzip2::Cost "300";
APT::Compressor::bzip2::CompressArg "";
APT::Compressor::bzip2::CompressArg:: "-6";
APT::Compressor::bzip2::UncompressArg "";
APT::Compressor::bzip2::UncompressArg:: "-d";
APT::Compressor::lzma "";
APT::Compressor::lzma::Name "lzma";
APT::Compressor::lzma::Extension ".lzma";
APT::Compressor::lzma::Binary "xz";
APT::Compressor::lzma::Cost "400";
APT::Compressor::lzma::CompressArg "";
APT::Compressor::lzma::CompressArg:: "--format=lzma";
APT::Compressor::lzma::CompressArg:: "-6";
APT::Compressor::lzma::UncompressArg "";
APT::Compressor::lzma::UncompressArg:: "--format=lzma";
APT::Compressor::lzma::UncompressArg:: "-d";
Dir "/";
Dir::State "var/lib/apt";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::extended_states "extended_states";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::netrc "auth.conf";
Dir::Etc::netrcparts "auth.conf.d";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Etc::preferencesparts "preferences.d";
Dir::Etc::trusted "trusted.gpg";
Dir::Etc::trustedparts "trusted.gpg.d";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::solvers "";
Dir::Bin::solvers:: "/usr/lib/apt/solvers";
Dir::Bin::planners "";
Dir::Bin::planners:: "/usr/lib/apt/planners";
Dir::Bin::dpkg "/usr/bin/dpkg";
Dir::Bin::gzip "/bin/gzip";
Dir::Bin::bzip2 "/bin/bzip2";
Dir::Bin::xz "/usr/bin/xz";
Dir::Bin::lz4 "/usr/bin/lz4";
Dir::Bin::zstd "/usr/bin/zstd";
Dir::Bin::lzma "/usr/bin/xz";
Dir::Media "";
Dir::Media::MountPath "/media/apt";
Dir::Log "var/log/apt";
Dir::Log::Terminal "term.log";
Dir::Log::History "history.log";
Dir::Log::Planner "eipp.log.xz";
Dir::Ignore-Files-Silently "";
Dir::Ignore-Files-Silently:: "~$";
Dir::Ignore-Files-Silently:: "\.disabled$";
Dir::Ignore-Files-Silently:: "\.bak$";
Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$";
Dir::Ignore-Files-Silently:: "\.ucf-[a-z]+$";
Dir::Ignore-Files-Silently:: "\.save$";
Dir::Ignore-Files-Silently:: "\.orig$";
Dir::Ignore-Files-Silently:: "\.distUpgrade$";
Acquire "";
Acquire::AllowInsecureRepositories "0";
Acquire::AllowWeakRepositories "0";
Acquire::AllowDowngradeToInsecureRepositories "0";
Acquire::cdrom "";
Acquire::cdrom::mount "/media/cdrom/";
Acquire::IndexTargets "";
Acquire::IndexTargets::deb "";
Acquire::IndexTargets::deb::Packages "";
Acquire::IndexTargets::deb::Packages::MetaKey "$(COMPONENT)/binary-$(ARCHITECTURE)/Packages";
Acquire::IndexTargets::deb::Packages::flatMetaKey "Packages";
Acquire::IndexTargets::deb::Packages::ShortDescription "Packages";
Acquire::IndexTargets::deb::Packages::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Packages";
Acquire::IndexTargets::deb::Packages::flatDescription "$(RELEASE) Packages";
Acquire::IndexTargets::deb::Packages::Optional "0";
Acquire::IndexTargets::deb::Translations "";
Acquire::IndexTargets::deb::Translations::MetaKey "$(COMPONENT)/i18n/Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::flatMetaKey "$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::ShortDescription "Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::Description "$(RELEASE)/$(COMPONENT) Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::flatDescription "$(RELEASE) Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb-src "";
Acquire::IndexTargets::deb-src::Sources "";
Acquire::IndexTargets::deb-src::Sources::MetaKey "$(COMPONENT)/source/Sources";
Acquire::IndexTargets::deb-src::Sources::flatMetaKey "Sources";
Acquire::IndexTargets::deb-src::Sources::ShortDescription "Sources";
Acquire::IndexTargets::deb-src::Sources::Description "$(RELEASE)/$(COMPONENT) Sources";
Acquire::IndexTargets::deb-src::Sources::flatDescription "$(RELEASE) Sources";
Acquire::IndexTargets::deb-src::Sources::Optional "0";
Acquire::Changelogs "";
Acquire::Changelogs::URI "";
Acquire::Changelogs::URI::Origin "";
Acquire::Changelogs::URI::Origin::Debian "https://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog";;
Acquire::Changelogs::URI::Origin::Ubuntu "https://changelogs.ubuntu.com/changelogs/pool/@CHANGEPATH@/changelog";;
Acquire::Changelogs::AlwaysOnline "";
Acquire::Changelogs::AlwaysOnline::Origin "";
Acquire::Changelogs::AlwaysOnline::Origin::Ubuntu "1";
Acquire::Languages "";
Acquire::Languages:: "en";
Acquire::Languages:: "none";
Acquire::CompressionTypes "";
Acquire::CompressionTypes::xz "xz";
Acquire::CompressionTypes::bz2 "bzip2";
Acquire::CompressionTypes::lzma "lzma";
Acquire::CompressionTypes::gz "gzip";
Acquire::CompressionTypes::lz4 "lz4";
Acquire::CompressionTypes::zst "zstd";
DPkg "";
DPkg::Path "/usr/sbin:/usr/bin:/sbin:/bin";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "/usr/lib/qubes/upgrades-status-notify || true";
DPkg::Post-Invoke:: "/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && /usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo > /dev/null";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -lt 10";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
DPkg::Tools "";
DPkg::Tools::Options "";
DPkg::Tools::Options::/usr/bin/apt-listchanges "";
DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2";
DPkg::Tools::Options::/usr/bin/apt-listchanges::InfoFD "20";
Binary "apt-config";
Binary::apt "";
Binary::apt::APT "";
Binary::apt::APT::Color "1";
Binary::apt::APT::Cache "";
Binary::apt::APT::Cache::Show "";
Binary::apt::APT::Cache::Show::Version "2";
Binary::apt::APT::Cache::AllVersions "0";
Binary::apt::APT::Cache::ShowVirtuals "1";
Binary::apt::APT::Cache::Search "";
Binary::apt::APT::Cache::Search::Version "2";
Binary::apt::APT::Cache::ShowDependencyType "1";
Binary::apt::APT::Cache::ShowVersion "1";
Binary::apt::APT::Get "";
Binary::apt::APT::Get::Upgrade-Allow-New "1";
Binary::apt::APT::Get::Update "";
Binary::apt::APT::Get::Update::InteractiveReleaseInfoChanges "1";
Binary::apt::APT::Cmd "";
Binary::apt::APT::Cmd::Show-Update-Stats "1";
Binary::apt::APT::Keep-Downloaded-Packages "0";
Binary::apt::DPkg "";
Binary::apt::DPkg::Progress-Fancy "1";
CommandLine "";
CommandLine::AsString "apt-config dump";

-- (no /etc/apt/preferences present) --


-- /etc/apt/preferences.d/restrict-unstable --

Package: *
Pin: release a=unstable
Pin-Priority: 50

-- /etc/apt/sources.list --

deb https://deb.debian.org/debian buster main contrib non-free
#deb-src https://deb.debian.org/debian buster main contrib non-free

deb https://deb.debian.org/debian-security buster/updates main contrib non-free
#deb-src https://deb.debian.org/debian-security buster/updates main contrib non-free


-- /etc/apt/sources.list.d/qubes-r4.list --

# Main qubes updates repository
#deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm buster main
#deb-src https://deb.qubes-os.org/r4.0/vm buster main

# Qubes updates candidates repository
#deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm buster-testing main
#deb-src https://deb.qubes-os.org/r4.0/vm buster-testing main

# Qubes security updates testing repository
#deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm buster-securitytesting main
#deb-src https://deb.qubes-os.org/r4.0/vm buster-securitytesting main

# Qubes experimental/unstable repository
#deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm buster-unstable main
#deb-src https://deb.qubes-os.org/r4.0/vm buster-unstable main


# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64] http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster main
#deb-src tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster main

# Qubes updates candidates repository
#deb [arch=amd64] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster-testing main
#deb-src tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster-testing main

# Qubes security updates testing repository
deb [arch=amd64] http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster-securitytesting main
#deb-src tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster-securitytesting main

# Qubes experimental/unstable repository
#deb [arch=amd64] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster-unstable main
#deb-src tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster-unstable main


-- /etc/apt/sources.list.d/sid.list --

#deb https://deb.debian.org/debian sid main contrib non-free
#deb-src https://deb.debian.org/debian sid main contrib non-free

#deb https://deb.debian.org/debian buster-backports main contrib non-free
#deb-src https://deb.debian.org/debian buster-backports main contrib non-free

-- System Information:
Debian Release: 10.7
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.83-1.qubes.x86_64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt depends on:
ii  adduser                 3.118
ii  debian-archive-keyring  2019.1
ii  gpgv                    2.2.12-1+deb10u1
ii  libapt-pkg5.0           1.8.2.2
ii  libc6                   2.28-10
ii  libgcc1                 1:8.3.0-6
ii  libgnutls30             3.6.7-4+deb10u5
ii  libseccomp2             2.3.3-4
ii  libstdc++6              8.3.0-6

Versions of packages apt recommends:
ii  ca-certificates  20190110

Versions of packages apt suggests:
pn  apt-doc         <none>
ii  aptitude        0.8.11-7
ii  dpkg-dev        1.19.7
ii  gnupg           2.2.12-1+deb10u1
ii  gnupg2          2.2.12-1+deb10u1
ii  powermgmt-base  1.34

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: "Demi M. Obenour" <demiobenour@gmail.com>, 977994-done@bugs.debian.org
• Subject: Re: Bug#977994: apt: Output from sandboxed methods should not be trusted
• From: David Kalnischkies <david@kalnischkies.de>
• Date: Mon, 28 Dec 2020 12:47:48 +0100
• Message-id: <20201228114748.vfypx2dssletj3a6@crossbow>
• In-reply-to: <[🔎] 160877165940.903.13427683846101462195.reportbug@localhost>
• References: <[🔎] 160877165940.903.13427683846101462195.reportbug@localhost>

On Wed, Dec 23, 2020 at 08:00:59PM -0500, Demi M. Obenour wrote:
> As far as I can tell, APT still trusts the output of its methods.  This
> means that while they are sandboxed in theory, this sandbox is trivially
> escapable in practice.

So, that means that we are a hundred percent secure if we abolish our
methods completely as we don't have to trust any of its output then and
just perform everything sequentially on the main thread without even
a thin layer of isolation.

I hope we can agree that this solution would be nonsense, so just like
a manager in a company, we have to trust our subordinated methods to
some extend if we don't want to do all the work by ourselves.

So perhaps your are questioning the extend here, which I presume is that
you don't want the methods to calculate the hashsums of the files. Well,
that is a lot of work and in some cases (e.g. pdiff-patched Contents
files) the returned sum is even just an intermediate product¹ requiring
the manager to perform even more work to verify (work on untrusted data
as it is output of the methods, so ideally that would be done in
isolation outside the main thread… you see the conundrum?)

I would call that micro-management if that would be my manager. Sadly,
we can't really do other common business tactics like rechecking only
some or give two subordinates the same task and compare results (Not
that these would work that well in the real world either).


> This would be Severity: critical except that no vulnerability in the
> respective methods is known.  Nevertheless, this is what made
> CVE-2019-3462 a devastating remote code execution vulnerability, rather
> than a minor annoyance.

Lets first understand what the underlying problem was here: The method
itself could not be overtaken or similar such which remote code
execution would suggest here. What happened here is that an attacker
could insert messages into the communication channel between the method
and the manager. In other words: the method was impersonated. The manager
would then act on the messages it believed came from the method rather
than the attacker, including potentially storing a (mostly) unverified
deb file which could be installed later on at which point the
"remote code" is executed.

We plugged that hole by teaching the methods to be more careful in what
they put into the communication channel. Additionally, the last upload
hopefully resolves the underlying problem of previously requiring URIs
to be passed around decoded.

The manager could certainly be a bit more demanding to perhaps detect
impersonation attempts from his side, too. Might also be fun to give
complicated methods like http(s) its own subordinates. Very many ideas
do exist, its just a matter of designing and implementing them which
gradually happens ever so slightly without much fanfare as nobody
notices the CVE that never were of course. Or the managers who weren't
fired for the failures they didn't spot their subordinates not do.


So, long story short, I am closing this bugreport as not actionable: Be
it software or humans, we always have to trust someone at some point.
We can always do better (including less blind trust), but that isn't
achieved or even helped by open bugreports with broad blank statements
which are technically and practically unfeasible.

But be my guest, please explain how you pull that off and we will surely
be happy to implement it – and start a global megacorp based on your new
infallible management theory, too.


Best regards

David Kalnischkies


¹ Contents files are stored on disk lz4 compressed, a format not known
to the archive, and all other files can be stored compressed as well if
the right option is used – but even if the archive would know the
compression type, compression is not bit-identical between different
runs, versions and implementations of compressors.

Attachment: signature.asc
Description: PGP signature

--- End Message ---