Your message dated Mon, 28 Dec 2020 12:47:48 +0100 with message-id <20201228114748.vfypx2dssletj3a6@crossbow> and subject line Re: Bug#977994: apt: Output from sandboxed methods should not be trusted has caused the Debian Bug report #977994, regarding apt: Output from sandboxed methods should not be trusted to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 977994: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977994 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt: Output from sandboxed methods should not be trusted
- From: "Demi M. Obenour" <demiobenour@gmail.com>
- Date: Wed, 23 Dec 2020 20:00:59 -0500
- Message-id: <[🔎] 160877165940.903.13427683846101462195.reportbug@localhost>
Package: apt Version: 1.8.2.2 Severity: important Dear Maintainer, As far as I can tell, APT still trusts the output of its methods. This means that while they are sandboxed in theory, this sandbox is trivially escapable in practice. This would be Severity: critical except that no vulnerability in the respective methods is known. Nevertheless, this is what made CVE-2019-3462 a devastating remote code execution vulnerability, rather than a minor annoyance. -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "amd64"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Install-Recommends "1"; APT::Install-Suggests "0"; APT::Sandbox ""; APT::Sandbox::User "_apt"; APT::Sandbox::Seccomp "1"; APT::NeverAutoRemove ""; APT::NeverAutoRemove:: "^firmware-linux.*"; APT::NeverAutoRemove:: "^linux-firmware$"; APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*$"; APT::NeverAutoRemove:: "^linux-image-[a-z0-9]*-[a-z0-9]*$"; APT::NeverAutoRemove:: "^linux-image-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^linux-image-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^linux-image-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^linux-headers-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^linux-headers-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^linux-headers-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^linux-image-extra-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^linux-image-extra-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^linux-image-extra-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^linux-modules-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^linux-modules-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^linux-modules-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^linux-modules-extra-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^linux-modules-extra-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^linux-modules-extra-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^linux-signed-image-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^linux-signed-image-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^linux-signed-image-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^linux-image-unsigned-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^linux-image-unsigned-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^linux-image-unsigned-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^kfreebsd-image-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-image-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-image-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^kfreebsd-headers-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-headers-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-headers-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^gnumach-image-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^gnumach-image-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^gnumach-image-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^.*-modules-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^.*-modules-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^.*-modules-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^.*-kernel-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^.*-kernel-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^.*-kernel-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^linux-backports-modules-.*-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^linux-backports-modules-.*-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^linux-backports-modules-.*-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^linux-modules-.*-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^linux-modules-.*-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^linux-modules-.*-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^linux-tools-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^linux-tools-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^linux-tools-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^linux-cloud-tools-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^linux-cloud-tools-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^linux-cloud-tools-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^linux-buildinfo-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^linux-buildinfo-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^linux-buildinfo-5\.4\.80-1\.qubes\.x86_64$"; APT::NeverAutoRemove:: "^linux-source-4\.19\.0-12-amd64$"; APT::NeverAutoRemove:: "^linux-source-4\.19\.0-13-amd64$"; APT::NeverAutoRemove:: "^linux-source-5\.4\.80-1\.qubes\.x86_64$"; APT::VersionedKernelPackages ""; APT::VersionedKernelPackages:: "linux-image"; APT::VersionedKernelPackages:: "linux-headers"; APT::VersionedKernelPackages:: "linux-image-extra"; APT::VersionedKernelPackages:: "linux-modules"; APT::VersionedKernelPackages:: "linux-modules-extra"; APT::VersionedKernelPackages:: "linux-signed-image"; APT::VersionedKernelPackages:: "linux-image-unsigned"; APT::VersionedKernelPackages:: "kfreebsd-image"; APT::VersionedKernelPackages:: "kfreebsd-headers"; APT::VersionedKernelPackages:: "gnumach-image"; APT::VersionedKernelPackages:: ".*-modules"; APT::VersionedKernelPackages:: ".*-kernel"; APT::VersionedKernelPackages:: "linux-backports-modules-.*"; APT::VersionedKernelPackages:: "linux-modules-.*"; APT::VersionedKernelPackages:: "linux-tools"; APT::VersionedKernelPackages:: "linux-cloud-tools"; APT::VersionedKernelPackages:: "linux-buildinfo"; APT::VersionedKernelPackages:: "linux-source"; APT::Never-MarkAuto-Sections ""; APT::Never-MarkAuto-Sections:: "metapackages"; APT::Never-MarkAuto-Sections:: "contrib/metapackages"; APT::Never-MarkAuto-Sections:: "non-free/metapackages"; APT::Never-MarkAuto-Sections:: "restricted/metapackages"; APT::Never-MarkAuto-Sections:: "universe/metapackages"; APT::Never-MarkAuto-Sections:: "multiverse/metapackages"; APT::Move-Autobit-Sections ""; APT::Move-Autobit-Sections:: "oldlibs"; APT::Move-Autobit-Sections:: "contrib/oldlibs"; APT::Move-Autobit-Sections:: "non-free/oldlibs"; APT::Move-Autobit-Sections:: "restricted/oldlibs"; APT::Move-Autobit-Sections:: "universe/oldlibs"; APT::Move-Autobit-Sections:: "multiverse/oldlibs"; APT::Update ""; APT::Update::Post-Invoke-Success ""; APT::Update::Post-Invoke-Success:: "/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && /usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo > /dev/null"; APT::Periodic ""; APT::Periodic::Update-Package-Lists "0"; APT::Periodic::Download-Upgradeable-Packages "0"; APT::Periodic::AutocleanInterval "0"; APT::Periodic::Unattended-Upgrade "0"; APT::Periodic::Enable "0"; APT::Architectures ""; APT::Architectures:: "amd64"; APT::Compressor ""; APT::Compressor::. ""; APT::Compressor::.::Name "."; APT::Compressor::.::Extension ""; APT::Compressor::.::Binary ""; APT::Compressor::.::Cost "0"; APT::Compressor::zstd ""; APT::Compressor::zstd::Name "zstd"; APT::Compressor::zstd::Extension ".zst"; APT::Compressor::zstd::Binary "false"; APT::Compressor::zstd::Cost "60"; APT::Compressor::lz4 ""; APT::Compressor::lz4::Name "lz4"; APT::Compressor::lz4::Extension ".lz4"; APT::Compressor::lz4::Binary "false"; APT::Compressor::lz4::Cost "50"; APT::Compressor::gzip ""; APT::Compressor::gzip::Name "gzip"; APT::Compressor::gzip::Extension ".gz"; APT::Compressor::gzip::Binary "gzip"; APT::Compressor::gzip::Cost "100"; APT::Compressor::gzip::CompressArg ""; APT::Compressor::gzip::CompressArg:: "-6n"; APT::Compressor::gzip::UncompressArg ""; APT::Compressor::gzip::UncompressArg:: "-d"; APT::Compressor::xz ""; APT::Compressor::xz::Name "xz"; APT::Compressor::xz::Extension ".xz"; APT::Compressor::xz::Binary "xz"; APT::Compressor::xz::Cost "200"; APT::Compressor::xz::CompressArg ""; APT::Compressor::xz::CompressArg:: "-6"; APT::Compressor::xz::UncompressArg ""; APT::Compressor::xz::UncompressArg:: "-d"; APT::Compressor::bzip2 ""; APT::Compressor::bzip2::Name "bzip2"; APT::Compressor::bzip2::Extension ".bz2"; APT::Compressor::bzip2::Binary "bzip2"; APT::Compressor::bzip2::Cost "300"; APT::Compressor::bzip2::CompressArg ""; APT::Compressor::bzip2::CompressArg:: "-6"; APT::Compressor::bzip2::UncompressArg ""; APT::Compressor::bzip2::UncompressArg:: "-d"; APT::Compressor::lzma ""; APT::Compressor::lzma::Name "lzma"; APT::Compressor::lzma::Extension ".lzma"; APT::Compressor::lzma::Binary "xz"; APT::Compressor::lzma::Cost "400"; APT::Compressor::lzma::CompressArg ""; APT::Compressor::lzma::CompressArg:: "--format=lzma"; APT::Compressor::lzma::CompressArg:: "-6"; APT::Compressor::lzma::UncompressArg ""; APT::Compressor::lzma::UncompressArg:: "--format=lzma"; APT::Compressor::lzma::UncompressArg:: "-d"; Dir "/"; Dir::State "var/lib/apt"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::extended_states "extended_states"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::sourceparts "sources.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::netrc "auth.conf"; Dir::Etc::netrcparts "auth.conf.d"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Etc::preferencesparts "preferences.d"; Dir::Etc::trusted "trusted.gpg"; Dir::Etc::trustedparts "trusted.gpg.d"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::solvers ""; Dir::Bin::solvers:: "/usr/lib/apt/solvers"; Dir::Bin::planners ""; Dir::Bin::planners:: "/usr/lib/apt/planners"; Dir::Bin::dpkg "/usr/bin/dpkg"; Dir::Bin::gzip "/bin/gzip"; Dir::Bin::bzip2 "/bin/bzip2"; Dir::Bin::xz "/usr/bin/xz"; Dir::Bin::lz4 "/usr/bin/lz4"; Dir::Bin::zstd "/usr/bin/zstd"; Dir::Bin::lzma "/usr/bin/xz"; Dir::Media ""; Dir::Media::MountPath "/media/apt"; Dir::Log "var/log/apt"; Dir::Log::Terminal "term.log"; Dir::Log::History "history.log"; Dir::Log::Planner "eipp.log.xz"; Dir::Ignore-Files-Silently ""; Dir::Ignore-Files-Silently:: "~$"; Dir::Ignore-Files-Silently:: "\.disabled$"; Dir::Ignore-Files-Silently:: "\.bak$"; Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$"; Dir::Ignore-Files-Silently:: "\.ucf-[a-z]+$"; Dir::Ignore-Files-Silently:: "\.save$"; Dir::Ignore-Files-Silently:: "\.orig$"; Dir::Ignore-Files-Silently:: "\.distUpgrade$"; Acquire ""; Acquire::AllowInsecureRepositories "0"; Acquire::AllowWeakRepositories "0"; Acquire::AllowDowngradeToInsecureRepositories "0"; Acquire::cdrom ""; Acquire::cdrom::mount "/media/cdrom/"; Acquire::IndexTargets ""; Acquire::IndexTargets::deb ""; Acquire::IndexTargets::deb::Packages ""; Acquire::IndexTargets::deb::Packages::MetaKey "$(COMPONENT)/binary-$(ARCHITECTURE)/Packages"; Acquire::IndexTargets::deb::Packages::flatMetaKey "Packages"; Acquire::IndexTargets::deb::Packages::ShortDescription "Packages"; Acquire::IndexTargets::deb::Packages::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Packages"; Acquire::IndexTargets::deb::Packages::flatDescription "$(RELEASE) Packages"; Acquire::IndexTargets::deb::Packages::Optional "0"; Acquire::IndexTargets::deb::Translations ""; Acquire::IndexTargets::deb::Translations::MetaKey "$(COMPONENT)/i18n/Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::flatMetaKey "$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::ShortDescription "Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::Description "$(RELEASE)/$(COMPONENT) Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::flatDescription "$(RELEASE) Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb-src ""; Acquire::IndexTargets::deb-src::Sources ""; Acquire::IndexTargets::deb-src::Sources::MetaKey "$(COMPONENT)/source/Sources"; Acquire::IndexTargets::deb-src::Sources::flatMetaKey "Sources"; Acquire::IndexTargets::deb-src::Sources::ShortDescription "Sources"; Acquire::IndexTargets::deb-src::Sources::Description "$(RELEASE)/$(COMPONENT) Sources"; Acquire::IndexTargets::deb-src::Sources::flatDescription "$(RELEASE) Sources"; Acquire::IndexTargets::deb-src::Sources::Optional "0"; Acquire::Changelogs ""; Acquire::Changelogs::URI ""; Acquire::Changelogs::URI::Origin ""; Acquire::Changelogs::URI::Origin::Debian "https://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog"; Acquire::Changelogs::URI::Origin::Ubuntu "https://changelogs.ubuntu.com/changelogs/pool/@CHANGEPATH@/changelog"; Acquire::Changelogs::AlwaysOnline ""; Acquire::Changelogs::AlwaysOnline::Origin ""; Acquire::Changelogs::AlwaysOnline::Origin::Ubuntu "1"; Acquire::Languages ""; Acquire::Languages:: "en"; Acquire::Languages:: "none"; Acquire::CompressionTypes ""; Acquire::CompressionTypes::xz "xz"; Acquire::CompressionTypes::bz2 "bzip2"; Acquire::CompressionTypes::lzma "lzma"; Acquire::CompressionTypes::gz "gzip"; Acquire::CompressionTypes::lz4 "lz4"; Acquire::CompressionTypes::zst "zstd"; DPkg ""; DPkg::Path "/usr/sbin:/usr/bin:/sbin:/bin"; DPkg::Post-Invoke ""; DPkg::Post-Invoke:: "/usr/lib/qubes/upgrades-status-notify || true"; DPkg::Post-Invoke:: "/usr/bin/test -e /usr/share/dbus-1/system-services/org.freedesktop.PackageKit.service && /usr/bin/test -S /var/run/dbus/system_bus_socket && /usr/bin/gdbus call --system --dest org.freedesktop.PackageKit --object-path /org/freedesktop/PackageKit --timeout 4 --method org.freedesktop.PackageKit.StateHasChanged cache-update > /dev/null; /bin/echo > /dev/null"; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -lt 10"; DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true"; DPkg::Tools ""; DPkg::Tools::Options ""; DPkg::Tools::Options::/usr/bin/apt-listchanges ""; DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2"; DPkg::Tools::Options::/usr/bin/apt-listchanges::InfoFD "20"; Binary "apt-config"; Binary::apt ""; Binary::apt::APT ""; Binary::apt::APT::Color "1"; Binary::apt::APT::Cache ""; Binary::apt::APT::Cache::Show ""; Binary::apt::APT::Cache::Show::Version "2"; Binary::apt::APT::Cache::AllVersions "0"; Binary::apt::APT::Cache::ShowVirtuals "1"; Binary::apt::APT::Cache::Search ""; Binary::apt::APT::Cache::Search::Version "2"; Binary::apt::APT::Cache::ShowDependencyType "1"; Binary::apt::APT::Cache::ShowVersion "1"; Binary::apt::APT::Get ""; Binary::apt::APT::Get::Upgrade-Allow-New "1"; Binary::apt::APT::Get::Update ""; Binary::apt::APT::Get::Update::InteractiveReleaseInfoChanges "1"; Binary::apt::APT::Cmd ""; Binary::apt::APT::Cmd::Show-Update-Stats "1"; Binary::apt::APT::Keep-Downloaded-Packages "0"; Binary::apt::DPkg ""; Binary::apt::DPkg::Progress-Fancy "1"; CommandLine ""; CommandLine::AsString "apt-config dump"; -- (no /etc/apt/preferences present) -- -- /etc/apt/preferences.d/restrict-unstable -- Package: * Pin: release a=unstable Pin-Priority: 50 -- /etc/apt/sources.list -- deb https://deb.debian.org/debian buster main contrib non-free #deb-src https://deb.debian.org/debian buster main contrib non-free deb https://deb.debian.org/debian-security buster/updates main contrib non-free #deb-src https://deb.debian.org/debian-security buster/updates main contrib non-free -- /etc/apt/sources.list.d/qubes-r4.list -- # Main qubes updates repository #deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm buster main #deb-src https://deb.qubes-os.org/r4.0/vm buster main # Qubes updates candidates repository #deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm buster-testing main #deb-src https://deb.qubes-os.org/r4.0/vm buster-testing main # Qubes security updates testing repository #deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm buster-securitytesting main #deb-src https://deb.qubes-os.org/r4.0/vm buster-securitytesting main # Qubes experimental/unstable repository #deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm buster-unstable main #deb-src https://deb.qubes-os.org/r4.0/vm buster-unstable main # Qubes Tor updates repositories # Main qubes updates repository deb [arch=amd64] http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster main #deb-src tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster main # Qubes updates candidates repository #deb [arch=amd64] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster-testing main #deb-src tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster-testing main # Qubes security updates testing repository deb [arch=amd64] http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster-securitytesting main #deb-src tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster-securitytesting main # Qubes experimental/unstable repository #deb [arch=amd64] tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster-unstable main #deb-src tor+http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm buster-unstable main -- /etc/apt/sources.list.d/sid.list -- #deb https://deb.debian.org/debian sid main contrib non-free #deb-src https://deb.debian.org/debian sid main contrib non-free #deb https://deb.debian.org/debian buster-backports main contrib non-free #deb-src https://deb.debian.org/debian buster-backports main contrib non-free -- System Information: Debian Release: 10.7 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.4.83-1.qubes.x86_64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_OOT_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt depends on: ii adduser 3.118 ii debian-archive-keyring 2019.1 ii gpgv 2.2.12-1+deb10u1 ii libapt-pkg5.0 1.8.2.2 ii libc6 2.28-10 ii libgcc1 1:8.3.0-6 ii libgnutls30 3.6.7-4+deb10u5 ii libseccomp2 2.3.3-4 ii libstdc++6 8.3.0-6 Versions of packages apt recommends: ii ca-certificates 20190110 Versions of packages apt suggests: pn apt-doc <none> ii aptitude 0.8.11-7 ii dpkg-dev 1.19.7 ii gnupg 2.2.12-1+deb10u1 ii gnupg2 2.2.12-1+deb10u1 ii powermgmt-base 1.34 -- no debconf information
--- End Message ---
--- Begin Message ---
- To: "Demi M. Obenour" <demiobenour@gmail.com>, 977994-done@bugs.debian.org
- Subject: Re: Bug#977994: apt: Output from sandboxed methods should not be trusted
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Mon, 28 Dec 2020 12:47:48 +0100
- Message-id: <20201228114748.vfypx2dssletj3a6@crossbow>
- In-reply-to: <[🔎] 160877165940.903.13427683846101462195.reportbug@localhost>
- References: <[🔎] 160877165940.903.13427683846101462195.reportbug@localhost>
On Wed, Dec 23, 2020 at 08:00:59PM -0500, Demi M. Obenour wrote: > As far as I can tell, APT still trusts the output of its methods. This > means that while they are sandboxed in theory, this sandbox is trivially > escapable in practice. So, that means that we are a hundred percent secure if we abolish our methods completely as we don't have to trust any of its output then and just perform everything sequentially on the main thread without even a thin layer of isolation. I hope we can agree that this solution would be nonsense, so just like a manager in a company, we have to trust our subordinated methods to some extend if we don't want to do all the work by ourselves. So perhaps your are questioning the extend here, which I presume is that you don't want the methods to calculate the hashsums of the files. Well, that is a lot of work and in some cases (e.g. pdiff-patched Contents files) the returned sum is even just an intermediate product¹ requiring the manager to perform even more work to verify (work on untrusted data as it is output of the methods, so ideally that would be done in isolation outside the main thread… you see the conundrum?) I would call that micro-management if that would be my manager. Sadly, we can't really do other common business tactics like rechecking only some or give two subordinates the same task and compare results (Not that these would work that well in the real world either). > This would be Severity: critical except that no vulnerability in the > respective methods is known. Nevertheless, this is what made > CVE-2019-3462 a devastating remote code execution vulnerability, rather > than a minor annoyance. Lets first understand what the underlying problem was here: The method itself could not be overtaken or similar such which remote code execution would suggest here. What happened here is that an attacker could insert messages into the communication channel between the method and the manager. In other words: the method was impersonated. The manager would then act on the messages it believed came from the method rather than the attacker, including potentially storing a (mostly) unverified deb file which could be installed later on at which point the "remote code" is executed. We plugged that hole by teaching the methods to be more careful in what they put into the communication channel. Additionally, the last upload hopefully resolves the underlying problem of previously requiring URIs to be passed around decoded. The manager could certainly be a bit more demanding to perhaps detect impersonation attempts from his side, too. Might also be fun to give complicated methods like http(s) its own subordinates. Very many ideas do exist, its just a matter of designing and implementing them which gradually happens ever so slightly without much fanfare as nobody notices the CVE that never were of course. Or the managers who weren't fired for the failures they didn't spot their subordinates not do. So, long story short, I am closing this bugreport as not actionable: Be it software or humans, we always have to trust someone at some point. We can always do better (including less blind trust), but that isn't achieved or even helped by open bugreports with broad blank statements which are technically and practically unfeasible. But be my guest, please explain how you pull that off and we will surely be happy to implement it – and start a global megacorp based on your new infallible management theory, too. Best regards David Kalnischkies ¹ Contents files are stored on disk lz4 compressed, a format not known to the archive, and all other files can be stored compressed as well if the right option is used – but even if the archive would know the compression type, compression is not bit-identical between different runs, versions and implementations of compressors.Attachment: signature.asc
Description: PGP signature
--- End Message ---