Bug#579028: marked as done (pbuilder: installs untrusted packages without asking)

Tue, 13 Mar 2012 09:09:58 -0700 

Your message dated Sat, 10 Mar 2012 10:00:55 +0900
with message-id <87wr6txoag.dancerj%[email protected]>
and subject line forgot to close them in changelog.
has caused the Debian Bug report #579028,
regarding pbuilder: installs untrusted packages without asking
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
579028: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579028
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: pbuilder
Version: 0.196
Severity: grave
Tags: security
Justification: user security hole

Hi,

pbuilder will by default install packages from untrusted sources.  This
means the system can be compromised by a man in the middle providing
malicious packages.  There also seems no way to get pbuilder to stop
doing so.

pbuilder should (in the default configuration) not install packages that
are not trusted, only when the user explicitly requests this explicitly.

Also when creating the chroot with debootstrap, the --keyring option
should be used so that debootstrap will check for a valid signature.

Regards,
Ansgar

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---
--- Begin Message --- 
 pbuilder (0.207) unstable; urgency=low
 .
   [ Maarten Bezemer ]
   * Bug#659581: pbuilder: does not autocomplete filename in all cases
     correctly
   * Bug#660838: pbuilder: Add complete bash_autocompletion for all flags
     and arguments
   * Bug#659703: pbuilder: Typo in error message
 .
   [ Junichi Uekawa ]
   * Bug#660386: pbuilder: Remove /usr/X11R6/bin from default PATH
   * make longer lines wrap so reading patch files aren't as painful.
 .
   [ Simon Ruderich ]
   * Bug#579028: pbuilder: installs untrusted packages without asking

--- End Message ---

Reply via email to