diff options
author | Simon Ruderich <simon@ruderich.org> | 2012-03-06 02:29:25 +0100 |
---|---|---|
committer | Junichi Uekawa <dancer@netfort.gr.jp> | 2012-03-09 07:56:42 +0900 |
commit | 78747b5f1081e3afa1d5e0147c4efdbd833b7d14 (patch) | |
tree | fb415523fa99290671f48f192aabbf6bb0cab5d3 /debian | |
parent | 3531748071ead7740ab1492d6e422cd3f4fae951 (diff) | |
download | pbuilder-78747b5f1081e3afa1d5e0147c4efdbd833b7d14.tar pbuilder-78747b5f1081e3afa1d5e0147c4efdbd833b7d14.tar.gz |
Bug#579028: pbuilder: installs untrusted packages without asking
Package: pbuilder
Version: 0.206
Tags: patch
Followup-For: Bug #579028
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dear Maintainer,
The attached patch changes the defaults to always enforce signed
repositories and aborts if an untrusted/manipulated package is
installed. It adds the new option --keyring (APTKEYRINGS) to add
additional keyrings, which are then used to verify the (local)
signed repositories. This way no untrusted packages can be
installed.
To still allow untrusted/unsigned repositories - they are a very
bad idea and allow remote attackers performing a MITM to take
over the system, including all built packages - the new option
- --allow-untrusted (ALLOWUNTRUSTED) was added.
I tested it with the official Debian repository, signed and
unsigned local repositories and it works fine for me. But I'm
only a "normal" pbuilder user, so I might have missed something.
Please test the patch.
I haven't tested it with cdebootstrap, but it should work as
well.
The old PBUILDERSATISFYDEPENDSOPT --check-key option was
deprecated and is no longer used (it emits a warning now) as
validation is the default now.
The patch also contains documentation updates for the new
options/variables and updates for the NEWS file describing the
necessary changes to continue using untrusted packages (but
please don't do that - especially as a Debian developer).
Please have a look and include the patch as soon as possible to
fix this security issue.
Regards,
Simon
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages pbuilder depends on:
ii cdebootstrap 0.5.8+b1
ii coreutils 8.13-3
ii debconf [debconf-2.0] 1.5.41
ii debianutils 4.2.1
ii debootstrap 1.0.38
ii dpkg-dev 1.16.1.2
ii wget 1.13.4-2
Versions of packages pbuilder recommends:
pn devscripts 2.11.4
pn fakeroot 1.18.2-1
pn sudo <none>
Versions of packages pbuilder suggests:
pn cowdancer <none>
pn gdebi-core <none>
pn pbuilder-uml <none>
- -- debconf information excluded
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPVWhvAAoJEJL+/bfkTDL5ivAP/iayE8NRQnyk2HW8R+NiRXU3
uavLilwwpmEZyuciu8GxMQIAhT9HYd/DlkhF9I+yBSd30TO3fl0xW7YV9SaIZ+bv
IPwnZbHri4KfeV9Zob/gd2jrT9A2QCoFRW0ny4XNCK3NvtWH5KuH+TG2Mq5CQqdN
j4VJ3+76oJcbQbU7AUYXfvKDAsEb7gX+VwTEFLS4GrPkni/FIQJ8HHJhlTscyuCD
gQANCoRFZHVSMaas3xqi9KYFKgVS4BZ5Z/9FZuLeY5kWBfcbnIhQloVOWTQZIMRI
PhnqP1g62XlPu71K3a/Y2RMAcy3Gs6sUbW4OianIr2iskCndejih/MCb+3LmBFCg
Ekxi/CcJGrc7a0pV57Qs8Iwkm1siRZZUxcp4xdD3mo9iayoOt4sfFyrvBCYryilQ
7JKpQc3iNoV3EQql6KBu5G+GmFFWHmokpLvVY27n8LgkV2YSb2wrgxqXPfxcYHj7
0j/y2MFw+HOX/d5YSESMLxn9aiZBi7CkMtlMemzqizxlNlL/+OOZiDsi4vdH8L/j
Y0c2i9efjNeooc0/B9wASu/Ck8SWV8wW1EcfTag0p9Rp0avy4hoQUmG+MtgQsV0l
MQuWWysyxeJFX4Z8ooau82L6sIGC0L073JH6Y/C7uTOz9gKt+e5tV3fnU+pkWpqH
oF3CcmlykKX4SYzhUI/e
=6EPj
-----END PGP SIGNATURE-----
>From cadc48fb599d436577a6efedc7f25e175652a3a1 Mon Sep 17 00:00:00 2001
Message-Id: <cadc48fb599d436577a6efedc7f25e175652a3a1.1330997290.git.simon@ruderich.org>
From: Simon Ruderich <simon@ruderich.org>
Date: Tue, 6 Mar 2012 02:00:48 +0100
Subject: [PATCH] Enforce valid signed repositories by default.
Diffstat (limited to 'debian')
-rw-r--r-- | debian/NEWS | 19 | ||||
-rwxr-xr-x | debian/pbuilder-test/00_prepinstall | 2 |
2 files changed, 20 insertions, 1 deletions
diff --git a/debian/NEWS b/debian/NEWS index 6d144b9..80d36e9 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,22 @@ +pbuilder (0.207) unstable; urgency=low + + The default configuration will now only install trusted packages. This + prevents building packages with manipulated sources or a system compromise + due to a man-in-the-middle attack. + + However this also prevents installing packages from unsigned repositories by + default. + + If you really want to continue using unsigned repositories, you have to set + ALLOWUNTRUSTED=yes in your .pbuilderrc or use the --allow-untrusted option. + But if possible use a signed repository and set the used keys with the new + --keyring option (can be passed multiple times). + + Due to this change the PBUILDERSATISFYDEPENDSOPT option --check-key is no + longer necessary and thus deprecated. + + -- Simon Ruderich <simon@ruderich.org> Tue, 06 Mar 2012 02:02:38 +0100 + pbuilder (0.197) unstable; urgency=low The default configuration will now enable ccache. To disable installation diff --git a/debian/pbuilder-test/00_prepinstall b/debian/pbuilder-test/00_prepinstall index 0c1d44c..1769cdd 100755 --- a/debian/pbuilder-test/00_prepinstall +++ b/debian/pbuilder-test/00_prepinstall @@ -1,4 +1,4 @@ #!/bin/bash # Prepare and install packages used in the tests. -apt-get install -y --force-yes sudo +apt-get install -y sudo |