Bug#579028: pbuilder: installs untrusted packages without asking
Junichi Uekawa
dancer at netfort.gr.jp
Sun Jun 20 03:57:09 UTC 2010
severity wishlist
thanks
At Sun, 25 Apr 2010 00:01:36 +0900,
Ansgar Burchardt wrote:
>
> Package: pbuilder
> Version: 0.196
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Hi,
>
> pbuilder will by default install packages from untrusted sources. This
> means the system can be compromised by a man in the middle providing
> malicious packages. There also seems no way to get pbuilder to stop
> doing so.
>
> pbuilder should (in the default configuration) not install packages that
> are not trusted, only when the user explicitly requests this explicitly.
>
> Also when creating the chroot with debootstrap, the --keyring option
> should be used so that debootstrap will check for a valid signature.
>
> Regards,
> Ansgar
>
> -- System Information:
> Debian Release: squeeze/sid
> APT prefers testing
> APT policy: (900, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores)
> Locale: LANG=C, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
>
>
> _______________________________________________
> Pbuilder-maint mailing list
> Pbuilder-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pbuilder-maint
>
More information about the Pbuilder-maint
mailing list