Bug#545900: pbuilder uses debootstrap in am insecure way

Junichi Uekawa dancer at netfort.gr.jp
Fri Sep 18 15:17:36 UTC 2009 

Known bug and duplicate, check the BTS.

At Wed, 09 Sep 2009 23:15:51 +0200,
Christoph Anton Mitterer wrote:
> 
> Package: pbuilder
> Version: 0.189
> Severity: important
> Tags: security
> 
> Hi.
> 
> 
> debootstrap (unlike cdebootstrap IIRC) does not check signatures on  
> any packages per default, but only when the "--keyring" option is used.
> 
> This has the potential security problem, that users are building (and  
> thus executing code) that is not verified.
> 
> I would suggest that you at least add a:
> DEBOOTSTRAPOPTS="--keyring=/set-this-file" to the default template.
> 
> But this still is,.. well not a good solution, so I'd suggest the following:
> 1) Add options to pbuilder itself:
> - A mandatory --keyring= option to specify the keyring to be used and  
> that is passed on to [c]debootstrab
> - A option like --do-not-verify-signatures (including some warnings  
> that this is dangerous),.. and only if this is set,... --keyring may  
> be omitted.
> 
> 2) If nothing off the above is specified, pbuilder should fail.
> 
> 
> I'm not sure about the following:
> - As pbuilder installs stuff inside the already bootstrapped chroot,  
> there may be additional possibilities for insecure packages. But I  
> assume you use always apt there, right? And this should use keys,..  
> well at least with deboostrap they're copied into the chroot  
> (IIRC),... not sure about cdebootstrap.
> 
> - Is this already a problem with current build daemons or whatever?  
> And should we inform those guys on this problem?
> 
> 
> Regards,
> Chris.
> 
> 
> -- System Information:
> Debian Release: squeeze/sid
>    APT prefers unstable
>    APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 2.6.30-heisenberg (SMP w/2 CPU cores; PREEMPT)
> Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages pbuilder depends on:
> ii  coreutils                     7.5-4      GNU core utilities
> ii  debconf [debconf-2.0]         1.5.27     Debian configuration  
> management sy
> ii  debianutils                   3.2.1      Miscellaneous utilities  
> specific t
> ii  debootstrap                   1.0.15     Bootstrap a basic Debian system
> ii  wget                          1.11.4-4   retrieves files from the web
> 
> Versions of packages pbuilder recommends:
> ii  devscripts                    2.10.54    scripts to make the life  
> of a Debi
> ii  fakeroot                      1.13       Gives a fake root environment
> ii  sudo                          1.7.2p1-1  Provide limited super  
> user privile
> 
> Versions of packages pbuilder suggests:
> pn  cowdancer                     <none>     (no description available)
> pn  gdebi                         <none>     (no description available)
> pn  pbuilder-uml                  <none>     (no description available)
> 
> -- debconf information:
> * pbuilder/mirrorsite: ftp://ftp.de.debian.org/debian/
>    pbuilder/nomirror:
> * pbuilder/rewrite: false
> 
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
> 
> 
> 
> 
> _______________________________________________
> Pbuilder-maint mailing list
> Pbuilder-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pbuilder-maint
>

More information about the Pbuilder-maint mailing list