Bug#545900: pbuilder uses debootstrap in am insecure way

Christoph Anton Mitterer christoph.anton.mitterer at physik.uni-muenchen.de
Wed Sep 9 21:15:51 UTC 2009 

Package: pbuilder
Version: 0.189
Severity: important
Tags: security

Hi.


debootstrap (unlike cdebootstrap IIRC) does not check signatures on  
any packages per default, but only when the "--keyring" option is used.

This has the potential security problem, that users are building (and  
thus executing code) that is not verified.

I would suggest that you at least add a:
DEBOOTSTRAPOPTS="--keyring=/set-this-file" to the default template.

But this still is,.. well not a good solution, so I'd suggest the following:
1) Add options to pbuilder itself:
- A mandatory --keyring= option to specify the keyring to be used and  
that is passed on to [c]debootstrab
- A option like --do-not-verify-signatures (including some warnings  
that this is dangerous),.. and only if this is set,... --keyring may  
be omitted.

2) If nothing off the above is specified, pbuilder should fail.


I'm not sure about the following:
- As pbuilder installs stuff inside the already bootstrapped chroot,  
there may be additional possibilities for insecure packages. But I  
assume you use always apt there, right? And this should use keys,..  
well at least with deboostrap they're copied into the chroot  
(IIRC),... not sure about cdebootstrap.

- Is this already a problem with current build daemons or whatever?  
And should we inform those guys on this problem?


Regards,
Chris.


-- System Information:
Debian Release: squeeze/sid
   APT prefers unstable
   APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages pbuilder depends on:
ii  coreutils                     7.5-4      GNU core utilities
ii  debconf [debconf-2.0]         1.5.27     Debian configuration  
management sy
ii  debianutils                   3.2.1      Miscellaneous utilities  
specific t
ii  debootstrap                   1.0.15     Bootstrap a basic Debian system
ii  wget                          1.11.4-4   retrieves files from the web

Versions of packages pbuilder recommends:
ii  devscripts                    2.10.54    scripts to make the life  
of a Debi
ii  fakeroot                      1.13       Gives a fake root environment
ii  sudo                          1.7.2p1-1  Provide limited super  
user privile

Versions of packages pbuilder suggests:
pn  cowdancer                     <none>     (no description available)
pn  gdebi                         <none>     (no description available)
pn  pbuilder-uml                  <none>     (no description available)

-- debconf information:
* pbuilder/mirrorsite: ftp://ftp.de.debian.org/debian/
   pbuilder/nomirror:
* pbuilder/rewrite: false

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the Pbuilder-maint mailing list