Bug#579028: pbuilder: installs untrusted packages without asking

Junichi Uekawa dancer at netfort.gr.jp
Sun Jun 20 03:57:09 UTC 2010


severity wishlist
thanks

At Sun, 25 Apr 2010 00:01:36 +0900,
Ansgar Burchardt wrote:
> 
> Package: pbuilder
> Version: 0.196
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi,
> 
> pbuilder will by default install packages from untrusted sources.  This
> means the system can be compromised by a man in the middle providing
> malicious packages.  There also seems no way to get pbuilder to stop
> doing so.
> 
> pbuilder should (in the default configuration) not install packages that
> are not trusted, only when the user explicitly requests this explicitly.
> 
> Also when creating the chroot with debootstrap, the --keyring option
> should be used so that debootstrap will check for a valid signature.
> 
> Regards,
> Ansgar
> 
> -- System Information:
> Debian Release: squeeze/sid
>   APT prefers testing
>   APT policy: (900, 'testing'), (500, 'unstable'), (1, 'experimental')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores)
> Locale: LANG=C, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> 
> 
> _______________________________________________
> Pbuilder-maint mailing list
> Pbuilder-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/mailman/listinfo/pbuilder-maint
> 





More information about the Pbuilder-maint mailing list