Your message dated Mon, 19 Jan 2015 07:18:39 +0000 with message-id <[email protected]> and subject line Bug#774838: fixed in weboob 1.0-3 has caused the Debian Bug report #774838, regarding weboob: insecure keyring handling to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 774838: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774838 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: weboob Version: 1.0-2 Severity: grave Tags: security Justification: security hole Hi, the keyring handling when adding a remote repository is… scary. Quoting weboob/core/repositories.py: | if not keyring.exists() or self.key_update > keyring.version: | # This is a remote repository, download file | try: | keyring_data = browser.open(posixpath.join(self.url, self.KEYRING)).content | sig_data = browser.open(posixpath.join(self.url, self.KEYRING + '.sig')).content | except BrowserHTTPError as e: | raise RepositoryUnavailable(unicode(e)) | if keyring.exists(): | if not keyring.is_valid(keyring_data, sig_data): | raise InvalidSignature('the keyring itself') | print('The keyring was updated (and validated by the previous one).') | else: | print('First time saving the keyring, blindly accepted.') ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ !!! | keyring.save(keyring_data, self.key_update) | print(keyring) I would expect the Debian packages to contain some kind of trust chain to bootstrap the keyring handling, and weboob to abort instead of “blindly accepting” in other cases. Mraw, KiBi.
--- End Message ---
--- Begin Message ---Source: weboob Source-Version: 1.0-3 We believe that the bug you reported is fixed in the latest version of weboob, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Romain Bignon <[email protected]> (supplier of updated weboob package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 18 Jan 2015 16:07:58 +0100 Source: weboob Binary: python-weboob python-weboob-core weboob weboob-qt Architecture: source all Version: 1.0-3 Distribution: unstable Urgency: medium Maintainer: Romain Bignon <[email protected]> Changed-By: Romain Bignon <[email protected]> Description: python-weboob - Weboob, Web Out Of Browsers - library python-weboob-core - transitional dummy package weboob - CLI applications to interact with websites weboob-qt - Qt applications to interact with websites Closes: 774838 Changes: weboob (1.0-3) unstable; urgency=medium . *debian/patches/0004-prompt-user-to-accept-an-untrusted-keyring.patch: prompt user to accept an untrusted keyring when updating repositories (Closes: #774838). Checksums-Sha1: a71637062ee1848437924b91ebb9a629586a92e2 2047 weboob_1.0-3.dsc 837ef5365e7247f56d4e9edc87b2ad9cbfad7ccd 23448 weboob_1.0-3.debian.tar.xz 4e6b00ea7d0f98a0c92b842ab01643248058657c 185794 python-weboob_1.0-3_all.deb 665076c4e96f183816557404ce510080d60ec7b4 47020 python-weboob-core_1.0-3_all.deb 8466f16dd248fe9cb3a9196a30859d51d5b93416 437156 weboob_1.0-3_all.deb 6203157ea9e2672ff7ae5bcf1d259dff9b7a2d78 183130 weboob-qt_1.0-3_all.deb Checksums-Sha256: 07ffd36605c0447ca5f10dffb679b36352c784849e5db774f25adfb71a892e42 2047 weboob_1.0-3.dsc ffe0b126eb20d83c706993c96a6b479aa844eb01d56e1edf26a855437eab56ab 23448 weboob_1.0-3.debian.tar.xz 0b6b3de0b44a08c2c0e701e1a16945a2aeab673e65e69dca4b90a0797f3055a3 185794 python-weboob_1.0-3_all.deb 01d4acbe7e195c5c7e75840c906a99b64b4c2fd1cfe98dfaccd401b77b45d641 47020 python-weboob-core_1.0-3_all.deb caf8fdba3e90f3885e6a60f3a5058662e3c2226289297e2e64aaec9f01d31c32 437156 weboob_1.0-3_all.deb fd5c137e8f9835a980a337d775b8adab69d9fbf318895bb87a2fc4874517dc6e 183130 weboob-qt_1.0-3_all.deb Files: cd775ae5f79dab97359f6a3469a1f662 2047 python optional weboob_1.0-3.dsc f4e36acba6c652d92e6d417424806e87 23448 python optional weboob_1.0-3.debian.tar.xz 3a35dcd6604bbcfaec2cd9f590fc4221 185794 python optional python-weboob_1.0-3_all.deb ab1ed9c5c26f9f4dd1c69377da6de474 47020 oldlibs optional python-weboob-core_1.0-3_all.deb c58d31a8f30a5b34674f267efe6b3419 437156 python optional weboob_1.0-3_all.deb f6e7a17f5f947c52fe558c5bad229349 183130 python optional weboob-qt_1.0-3_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUvK4ZAAoJEAVcSzX////+8T4P/icPnBLZl86dODe0RmN9m11T 6/ynj4m6vGaACrRXA9H71eSQidPekCBQvgo+7cI/WgP3QGB/pF/+2MpS3S87oDDK CjGgCy0ew9zLV5vF55fujxn8t6SjGoWeG8w5cj6kDrBL3S7Itu2iGAYUkAxsFMfR cooKHejDV04/8iAM1f4TQ/5NPIfNxhDMuySWba0A0pk8oKUfhcPh4kdMSkPEWwkg S4nYa4ozsS50+/PGn3tQfBvrcSlfcdX/radr7OVIHftQo3zv2UHd/64KoTPcj1R6 pi0TQXZlDfHvwBr1Ek5BRyBFU7yOjd8d0/mxFInWzQgoqtmuLOF8Q+0Gxow92Hh9 xbCyNDWxu0uZr5gnplfesjYdWCcFdtPus8SzEwbPdWX2RKQWEiX2TaBzOtov1hc/ viTB/b7TtUlIIKiLlS6mGTzB3qpO1vA9aBtNoNKSJ+Z5UOOmlLyLURC+H2iQet8X bWbiltV41wN1jlxd2FccOSRcMW6DH9gfnXNlErbeyQ/JlBpjLef0uHJlOPJzRatB LUFUOA69hndxy44zH19/TE97z1PFhrMgY1vJRlKbt3F2xecmxMutdl0PM9kSINCz BpEJyiIH7uAY9ooPgP4xRZhQBIW34Xl1ORExW7zC9HPjAisZ2Td9egvMCFXJxNbT Ls1s9mQ+4VWlPjJNey/6 =MJC3 -----END PGP SIGNATURE-----
--- End Message ---
