Bug#579028: pbuilder: installs untrusted packages without asking

Simon Ruderich simon at ruderich.org
Tue Mar 6 01:29:25 UTC 2012 

Package: pbuilder
Version: 0.206
Tags: patch
Followup-For: Bug #579028

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear Maintainer,

The attached patch changes the defaults to always enforce signed
repositories and aborts if an untrusted/manipulated package is
installed. It adds the new option --keyring (APTKEYRINGS) to add
additional keyrings, which are then used to verify the (local)
signed repositories. This way no untrusted packages can be
installed.

To still allow untrusted/unsigned repositories - they are a very
bad idea and allow remote attackers performing a MITM to take
over the system, including all built packages - the new option
- --allow-untrusted (ALLOWUNTRUSTED) was added.

I tested it with the official Debian repository, signed and
unsigned local repositories and it works fine for me. But I'm
only a "normal" pbuilder user, so I might have missed something.
Please test the patch.

I haven't tested it with cdebootstrap, but it should work as
well.

The old PBUILDERSATISFYDEPENDSOPT --check-key option was
deprecated and is no longer used (it emits a warning now) as
validation is the default now.

The patch also contains documentation updates for the new
options/variables and updates for the NEWS file describing the
necessary changes to continue using untrusted packages (but
please don't do that - especially as a Debian developer).

Please have a look and include the patch as soon as possible to
fix this security issue.

Regards,
Simon

- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages pbuilder depends on:
ii  cdebootstrap           0.5.8+b1
ii  coreutils              8.13-3
ii  debconf [debconf-2.0]  1.5.41
ii  debianutils            4.2.1
ii  debootstrap            1.0.38
ii  dpkg-dev               1.16.1.2
ii  wget                   1.13.4-2

Versions of packages pbuilder recommends:
pn  devscripts  2.11.4
pn  fakeroot    1.18.2-1
pn  sudo        <none>

Versions of packages pbuilder suggests:
pn  cowdancer     <none>
pn  gdebi-core    <none>
pn  pbuilder-uml  <none>

- -- debconf information excluded

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPVWhvAAoJEJL+/bfkTDL5ivAP/iayE8NRQnyk2HW8R+NiRXU3
uavLilwwpmEZyuciu8GxMQIAhT9HYd/DlkhF9I+yBSd30TO3fl0xW7YV9SaIZ+bv
IPwnZbHri4KfeV9Zob/gd2jrT9A2QCoFRW0ny4XNCK3NvtWH5KuH+TG2Mq5CQqdN
j4VJ3+76oJcbQbU7AUYXfvKDAsEb7gX+VwTEFLS4GrPkni/FIQJ8HHJhlTscyuCD
gQANCoRFZHVSMaas3xqi9KYFKgVS4BZ5Z/9FZuLeY5kWBfcbnIhQloVOWTQZIMRI
PhnqP1g62XlPu71K3a/Y2RMAcy3Gs6sUbW4OianIr2iskCndejih/MCb+3LmBFCg
Ekxi/CcJGrc7a0pV57Qs8Iwkm1siRZZUxcp4xdD3mo9iayoOt4sfFyrvBCYryilQ
7JKpQc3iNoV3EQql6KBu5G+GmFFWHmokpLvVY27n8LgkV2YSb2wrgxqXPfxcYHj7
0j/y2MFw+HOX/d5YSESMLxn9aiZBi7CkMtlMemzqizxlNlL/+OOZiDsi4vdH8L/j
Y0c2i9efjNeooc0/B9wASu/Ck8SWV8wW1EcfTag0p9Rp0avy4hoQUmG+MtgQsV0l
MQuWWysyxeJFX4Z8ooau82L6sIGC0L073JH6Y/C7uTOz9gKt+e5tV3fnU+pkWpqH
oF3CcmlykKX4SYzhUI/e
=6EPj
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Enforce-valid-signed-repositories-by-default.patch
Type: text/x-diff
Size: 12226 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pbuilder-maint/attachments/20120306/17be5aa1/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Enforce-valid-signed-repositories-by-default.patch.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pbuilder-maint/attachments/20120306/17be5aa1/attachment.pgp>

More information about the Pbuilder-maint mailing list