[Secure-testing-team] Bug#816897: sbuild --build-dep-resolver=aptitude will install packages from untrusted sources

Ansgar Burchardt ansgar at debian.org
Sun Mar 6 12:25:21 UTC 2016 

Package: sbuild
Version: 0.68.0-1
Severity: serious
Tags: security

sbuild --build-dep-resolver=aptitude will install packages from
untrusted sources. I'm building a backports of dune-geometry in a
freshly created jessie-backports chroot. For this I added a local apt
repository

  deb file:///srv/apt/ansgar/pub jessie-backports main

to the chroot's sources.list (there is a bind mount setup too). The
signing key was *not* installed yet (as I forgot to do so).

Building the package with

  $ /usr/bin/sbuild -j8 -d jessie-backports -A \
    --build-dep-resolver=aptitude dune-geometry_2.4.1-1~bpo8+1.dsc

made apt in the chroot complain as expected:

+---
| W: GPG error: file: jessie-backports InRelease: The following signatures
| couldn't be verified because the public key is not available:
| NO_PUBKEY 4618504DFB3AD1E0
+---

But to my surprise, the aptitude solver went on to install packages from there:

+---
| aptitude -y --without-recommends -o Dpkg::Options::=--force-confold
|     -o Aptitude::CmdLine::Ignore-Trust-Violations=false [...]
|     install sbuild-build-depends-dune-geometry-dummy:amd64
| [...]
| The following actions will resolve these dependencies:
|
|       Install the following packages:
| 1)      libdune-common-dev [2.4.1-1~bpo8+1 (<NULL>)]
| [...]
| Selecting previously unselected package libdune-common-dev:amd64.
| Preparing to unpack .../libdune-common-dev_2.4.1-1~bpo8+1_amd64.deb ...
| Unpacking libdune-common-dev:amd64 (2.4.1-1~bpo8+1) ...
| [...]
| Setting up libdune-common-dev:amd64 (2.4.1-1~bpo8+1) ...
| [...]
| Package versions: [...] libdune-common-dev_2.4.1-1~bpo8+1 [...]
+---

I'm not sure if this is an issue with sbuild calling aptitude or with
aptitude. Feel free to reassign to aptitude (aptitude 0.6.11-1+b1 was
installed in the chroot).

(This was before the dune-common backport reached the archive.)

Ansgar

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (100, 'buildd-unstable'), (100, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.3.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sbuild depends on:
ii  adduser         3.113+nmu3
ii  apt-utils       1.2.4
ii  libsbuild-perl  0.68.0-1
ii  perl            5.22.1-7

Versions of packages sbuild recommends:
ii  debootstrap  1.0.79
ii  fakeroot     1.20.2-1

Versions of packages sbuild suggests:
pn  deborphan  <none>
ii  wget       1.17.1-1+b1

-- no debconf information

More information about the Secure-testing-team mailing list