[Secure-testing-team] Bug#781594: pybit: disables apt's signature checking (and uses remote repository)
Ansgar Burchardt
ansgar at debian.org
Tue Mar 31 12:30:06 UTC 2015
Package: src:pybit
Version: 1.0.0-2.1
Severity: grave
Tags: security
pybit disables apt's signature checks when retrieving source packages:
+---
| url = "deb-src http://cdn.debian.net/debian %s main " % buildreq.get_suite()
| os.write(src_list, url)
| cfg_str = "-o Apt::Get::AllowUnauthenticated=true -o Dir=%s -o Dir::State=%s -o Dir::Etc::SourceList=%s/sources.list -o Dir::Cache=%s" % \
+---[ http://sources.debian.net/src/pybit/1.0.0-2.1/pybitclient/apt.py/?hl=50#L50 ]
As can be seen, it also includes a remote repository in the
sources.list that could be target of a MitM attack.
I assume (but did not verify) that pybit then proceeds to build the
source package, possibly executing arbitrary code in case the
connection to cdn.debian.net was compromised.
Ansgar
More information about the Secure-testing-team
mailing list