Bug#704018: git-buildpackage: include the name of the package being built in the debian tag message

Tue, 26 Mar 2013 14:45:16 -0700 

Package: git-buildpackage
Version: 0.6.0~git20120601
Severity: normal
Tags: patch

Currently, the message in the debian tag is just:

  "Debian release %s" % cp.version

This is a bad idea, because it means that the signed message itself
contains no mention of the project that is being worked on.

Since all git repositories are conceptually the same git repository
(some just have commits that others don't have), a malicious attacker
could inject tags from project A into the repository for project B and
the original developer's signature on those tags would be intact.

This is potentially a security problem.  For example: if there are
automated build systems that pull from a repo and verify signed tags
made by a known developer (and that developer contributes to multiple
projects), this conflation could be used to make those systems build
packages from an entirely other project.

The attached patch enforces the inclusion of the name of the package
into the tag's message.

Regards,

        --dkg


-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.8-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages git-buildpackage depends on:
ii  devscripts       2.12.6
ii  git              1:1.7.10.4-1+wheezy1
ii  python           2.7.3-4
ii  python-dateutil  1.5+dfsg-0.1
ii  python2.6        2.6.8-1.1
ii  python2.7        2.7.3-6

Versions of packages git-buildpackage recommends:
pn  cowbuilder    <none>
ii  pristine-tar  1.25

Versions of packages git-buildpackage suggests:
pn  python-notify  <none>
ii  unzip          6.0-8

-- debconf-show failed

diff --git a/gbp/scripts/buildpackage.py b/gbp/scripts/buildpackage.py
index 4137e66..f738f97 100755
--- a/gbp/scripts/buildpackage.py
+++ b/gbp/scripts/buildpackage.py
@@ -551,7 +551,7 @@ def main(argv):
             tag = repo.version_to_tag(options.debian_tag, cp.version)
             if options.retag and repo.has_tag(tag):
                 repo.delete_tag(tag)
-            repo.create_tag(name=tag, msg="Debian release %s" % cp.version,
+            repo.create_tag(name=tag, msg="%s Debian release %s" % (cp['Source'], cp.version),
                             sign=options.sign_tags, keyid=options.keyid)
             if options.posttag:
                 sha = repo.rev_parse("%s^{}" % tag)

Reply via email to