Bug#579028: pbuilder: installs untrusted packages without asking

Junichi Uekawa dancer at netfort.gr.jp
Mon Jul 5 13:30:19 UTC 2010


At Sun, 04 Jul 2010 00:11:13 +0900,
Ansgar Burchardt wrote:
> 
> Hi,
> 
> Junichi Uekawa <dancer at netfort.gr.jp> writes:
> > severity 579028 wishlist
> 
> I don't agree with this as this bug allows arbitrary code execution as
> root (see below).
> 
> > Mehdi Dogguy wrote:
> >> Can you please explain how this will break "all existing configurations"?
> >> Does it mean that all people are using untrusted repositories when using
> >> pbuilder?
> 
> Yes, it does.  If you intercept and manipulate both the request for
> archive metadata (Release, Packages) and later a request for a *.deb you
> should be able to execute arbitrary code on the victim's host (with root
> privileges).  Of course you have to know which package the victim will
> install and have to prepare a malicious .deb before.
> 
> Regarding local repositories: These work fine if you sign them with a
> local key and make this key known to APT.  When using reprepro, this
> requires only generating a key, adding SignWith: [key-id] to the
> configuration and calling apt-key to make the key known to APT.

Yeah, I am annoyed that will require some setup on the users, but I
will add configurability for the users who use malicious repositories
per se.


To really implement this thing, you need support for 

Ubuntu, et al. (currently broken with the recent change)
Some way to add key for whatever extra repository, (not implemented)
Document how you do local repositories. (currently broken with recent change)



Good patches are always welcome.

-- 
dancer@{netfort.gr.jp,debian.org}





More information about the Pbuilder-maint mailing list