[Secure-testing-team] Bug#781595: xdeb: disables apt's signature checks
Ansgar Burchardt
ansgar at debian.org
Tue Mar 31 12:33:11 UTC 2015
Package: src:xdeb
Version: 0.6.6
Severity: grave
Tags: security
According to xdeb's documentation it uses apt to download source
packages and defaults to using the system's sources.list, that is
usually remote repositories.
However xdeb disables apt's signature checking:
+---
| apt_pkg.config.set('APT::Get::AllowUnauthenticated', str(True))
+---[ http://sources.debian.net/src/xdeb/0.6.6/aptutils.py/?hl=159#L159 ]
I assume (but did not verify) that this means xdeb will not complain
about a compromised remote repository and build potentially malicous
packages.
Ansgar
More information about the Secure-testing-team
mailing list