Bug#579028: pbuilder: installs untrusted packages without asking
Junichi Uekawa
dancer at netfort.gr.jp
Thu Mar 8 23:01:29 UTC 2012
At Tue, 06 Mar 2012 02:29:25 +0100,
Simon Ruderich wrote:
>
> Package: pbuilder
> Version: 0.206
> Tags: patch
> Followup-For: Bug #579028
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Dear Maintainer,
>
> The attached patch changes the defaults to always enforce signed
> repositories and aborts if an untrusted/manipulated package is
> installed. It adds the new option --keyring (APTKEYRINGS) to add
> additional keyrings, which are then used to verify the (local)
> signed repositories. This way no untrusted packages can be
> installed.
>
> To still allow untrusted/unsigned repositories - they are a very
> bad idea and allow remote attackers performing a MITM to take
> over the system, including all built packages - the new option
> - --allow-untrusted (ALLOWUNTRUSTED) was added.
>
> I tested it with the official Debian repository, signed and
> unsigned local repositories and it works fine for me. But I'm
> only a "normal" pbuilder user, so I might have missed something.
> Please test the patch.
>
> I haven't tested it with cdebootstrap, but it should work as
> well.
I think cowbuilder/qemubuilder won't let you an unknown arbitrary
option to pbuilder; you'll need to add a patch there as well.
I don't know if pdebuild will need any change; I guess not.
>
> The old PBUILDERSATISFYDEPENDSOPT --check-key option was
> deprecated and is no longer used (it emits a warning now) as
> validation is the default now.
>
> The patch also contains documentation updates for the new
> options/variables and updates for the NEWS file describing the
> necessary changes to continue using untrusted packages (but
> please don't do that - especially as a Debian developer).
>
> Please have a look and include the patch as soon as possible to
> fix this security issue.
>
> Regards,
> Simon
>
> - -- System Information:
> Debian Release: wheezy/sid
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages pbuilder depends on:
> ii cdebootstrap 0.5.8+b1
> ii coreutils 8.13-3
> ii debconf [debconf-2.0] 1.5.41
> ii debianutils 4.2.1
> ii debootstrap 1.0.38
> ii dpkg-dev 1.16.1.2
> ii wget 1.13.4-2
>
> Versions of packages pbuilder recommends:
> pn devscripts 2.11.4
> pn fakeroot 1.18.2-1
> pn sudo <none>
>
> Versions of packages pbuilder suggests:
> pn cowdancer <none>
> pn gdebi-core <none>
> pn pbuilder-uml <none>
>
> - -- debconf information excluded
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iQIcBAEBCAAGBQJPVWhvAAoJEJL+/bfkTDL5ivAP/iayE8NRQnyk2HW8R+NiRXU3
> uavLilwwpmEZyuciu8GxMQIAhT9HYd/DlkhF9I+yBSd30TO3fl0xW7YV9SaIZ+bv
> IPwnZbHri4KfeV9Zob/gd2jrT9A2QCoFRW0ny4XNCK3NvtWH5KuH+TG2Mq5CQqdN
> j4VJ3+76oJcbQbU7AUYXfvKDAsEb7gX+VwTEFLS4GrPkni/FIQJ8HHJhlTscyuCD
> gQANCoRFZHVSMaas3xqi9KYFKgVS4BZ5Z/9FZuLeY5kWBfcbnIhQloVOWTQZIMRI
> PhnqP1g62XlPu71K3a/Y2RMAcy3Gs6sUbW4OianIr2iskCndejih/MCb+3LmBFCg
> Ekxi/CcJGrc7a0pV57Qs8Iwkm1siRZZUxcp4xdD3mo9iayoOt4sfFyrvBCYryilQ
> 7JKpQc3iNoV3EQql6KBu5G+GmFFWHmokpLvVY27n8LgkV2YSb2wrgxqXPfxcYHj7
> 0j/y2MFw+HOX/d5YSESMLxn9aiZBi7CkMtlMemzqizxlNlL/+OOZiDsi4vdH8L/j
> Y0c2i9efjNeooc0/B9wASu/Ck8SWV8wW1EcfTag0p9Rp0avy4hoQUmG+MtgQsV0l
> MQuWWysyxeJFX4Z8ooau82L6sIGC0L073JH6Y/C7uTOz9gKt+e5tV3fnU+pkWpqH
> oF3CcmlykKX4SYzhUI/e
> =6EPj
> -----END PGP SIGNATURE-----
More information about the Pbuilder-maint
mailing list