On Thu, Jun 12, 2014 at 11:44:20AM +0200, Thijs Kinkhorst wrote: [..] > > apt: no authentication checks for source packages > > The Debian security team has assigned CVE-2014-0478 to this issue. [..] > As for squeeze, if it's not too much extra work it would be great if an > update for squeeze was also possible. Perhaps it could also even include > the fix for https://security-tracker.debian.org/tracker/CVE-2011-3634?
Attached is the debdiff for squeeze. Additional testing welcome (work in my debian-squeeze environment). Cheers, Michael
diff -Nru apt-0.8.10.3+squeeze1/cmdline/apt-get.cc apt-0.8.10.3+squeeze2/cmdline/apt-get.cc --- apt-0.8.10.3+squeeze1/cmdline/apt-get.cc 2011-04-15 09:30:33.000000000 +0200 +++ apt-0.8.10.3+squeeze2/cmdline/apt-get.cc 2014-06-12 15:03:48.000000000 +0200 @@ -959,25 +959,8 @@ return true; } /*}}}*/ -// CheckAuth - check if each download comes form a trusted source /*{{{*/ -// --------------------------------------------------------------------- -/* */ -static bool CheckAuth(pkgAcquire& Fetcher) +static bool AuthPrompt(std::string UntrustedList, bool const PromptUser) { - string UntrustedList; - for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I) - { - if (!(*I)->IsTrusted()) - { - UntrustedList += string((*I)->ShortDesc()) + " "; - } - } - - if (UntrustedList == "") - { - return true; - } - ShowList(c2out,_("WARNING: The following packages cannot be authenticated!"),UntrustedList,""); if (_config->FindB("APT::Get::AllowUnauthenticated",false) == true) @@ -986,6 +969,9 @@ return true; } + if (PromptUser == false) + return _error->Error(_("Some packages could not be authenticated")); + if (_config->FindI("quiet",0) < 2 && _config->FindB("APT::Get::Assume-Yes",false) == false) { @@ -1003,6 +989,27 @@ return _error->Error(_("There are problems and -y was used without --force-yes")); } /*}}}*/ +// CheckAuth - check if each download comes form a trusted source /*{{{*/ +// --------------------------------------------------------------------- +/* */ +static bool CheckAuth(pkgAcquire& Fetcher, bool PromptUser=true) +{ + string UntrustedList; + for (pkgAcquire::ItemIterator I = Fetcher.ItemsBegin(); I < Fetcher.ItemsEnd(); ++I) + { + if (!(*I)->IsTrusted()) + { + UntrustedList += string((*I)->ShortDesc()) + " "; + } + } + + if (UntrustedList == "") + { + return true; + } + + return AuthPrompt(UntrustedList, PromptUser); +} // InstallPackages - Actually download and install the packages /*{{{*/ // --------------------------------------------------------------------- /* This displays the informative messages describing what is going to @@ -2229,6 +2236,7 @@ // Load the requestd sources into the fetcher unsigned J = 0; + std::string UntrustedList; for (const char **I = CmdL.FileList + 1; *I != 0; I++, J++) { string Src; @@ -2237,6 +2245,9 @@ if (Last == 0) return _error->Error(_("Unable to find a source package for %s"),Src.c_str()); + if (Last->Index().IsTrusted() == false) + UntrustedList += Src + " "; + string srec = Last->AsStr(); string::size_type pos = srec.find("\nVcs-"); while (pos != string::npos) @@ -2319,6 +2330,11 @@ } } + // check authentication status of the source as well + if (UntrustedList != "" && !AuthPrompt(UntrustedList, false)) + return false; + + // Display statistics unsigned long long FetchBytes = Fetcher.FetchNeeded(); unsigned long long FetchPBytes = Fetcher.PartialPresent(); diff -Nru apt-0.8.10.3+squeeze1/debian/changelog apt-0.8.10.3+squeeze2/debian/changelog --- apt-0.8.10.3+squeeze1/debian/changelog 2011-04-15 09:30:33.000000000 +0200 +++ apt-0.8.10.3+squeeze2/debian/changelog 2014-06-12 15:07:49.000000000 +0200 @@ -1,3 +1,14 @@ +apt (0.8.10.3+squeeze2) squeeze-security; urgency=high + + * SECURITY UPDATE: apt-get source validation (closes: #749795) + - CVE-2014-0478 + * SECURITY UPDATE: sensitive information disclosure via incorrect + hostname validation (LP: #868353) + - methods/https.cc: properly set CURLOPT_SSL_VERIFYHOST. + - CVE-2011-3634 + + -- Michael Vogt <m...@debian.org> Thu, 12 Jun 2014 14:30:59 +0200 + apt (0.8.10.3+squeeze1) stable; urgency=low [ Michael Vogt ] diff -Nru apt-0.8.10.3+squeeze1/methods/https.cc apt-0.8.10.3+squeeze2/methods/https.cc --- apt-0.8.10.3+squeeze1/methods/https.cc 2011-04-15 09:30:33.000000000 +0200 +++ apt-0.8.10.3+squeeze2/methods/https.cc 2014-06-12 14:32:46.000000000 +0200 @@ -143,13 +143,11 @@ curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, peer_verify); // ... and hostname against cert CN or subjectAltName - int default_verify = 2; bool verify = _config->FindB("Acquire::https::Verify-Host",true); knob = "Acquire::https::"+remotehost+"::Verify-Host"; verify = _config->FindB(knob.c_str(),verify); - if (!verify) - default_verify = 0; - curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, verify); + int const default_verify = (verify == true) ? 2 : 0; + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, default_verify); // Also enforce issuer of server certificate using its cert string issuercert = _config->Find("Acquire::https::IssuerCert",""); diff -Nru apt-0.8.10.3+squeeze1/test/integration/framework apt-0.8.10.3+squeeze2/test/integration/framework --- apt-0.8.10.3+squeeze1/test/integration/framework 2011-04-15 09:30:33.000000000 +0200 +++ apt-0.8.10.3+squeeze2/test/integration/framework 2014-06-12 14:30:45.000000000 +0200 @@ -92,7 +92,7 @@ mkdir rootdir aptarchive keys cd rootdir mkdir -p etc/apt/apt.conf.d etc/apt/sources.list.d etc/apt/trusted.gpg.d etc/apt/preferences.d - mkdir -p var/cache var/lib var/log + mkdir -p var/cache var/lib var/log tmp mkdir -p var/lib/dpkg/info var/lib/dpkg/updates var/lib/dpkg/triggers local STATUSFILE=$(echo "$(basename $0)" | sed -e 's/^test-/status-/' -e 's/^skip-/status-/') if [ -f "${TESTDIR}/${STATUSFILE}" ]; then @@ -528,3 +528,35 @@ fi msgpass } + +testsuccess() { + if [ "$1" = '--nomsg' ]; then + shift + else + msgtest 'Test for successful execution of' "$*" + fi + local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testsuccess.output" + if $@ >${OUTPUT} 2>&1; then + msgpass + else + echo >&2 + cat >&2 $OUTPUT + msgfail + fi +} + +testfailure() { + if [ "$1" = '--nomsg' ]; then + shift + else + msgtest 'Test for failure in execution of' "$*" + fi + local OUTPUT="${TMPWORKINGDIRECTORY}/rootdir/tmp/testfailure.output" + if $@ >${OUTPUT} 2>&1; then + echo >&2 + cat >&2 $OUTPUT + msgfail + else + msgpass + fi +} diff -Nru apt-0.8.10.3+squeeze1/test/integration/test-apt-get-source-authenticated apt-0.8.10.3+squeeze2/test/integration/test-apt-get-source-authenticated --- apt-0.8.10.3+squeeze1/test/integration/test-apt-get-source-authenticated 1970-01-01 01:00:00.000000000 +0100 +++ apt-0.8.10.3+squeeze2/test/integration/test-apt-get-source-authenticated 2014-06-12 14:30:45.000000000 +0200 @@ -0,0 +1,31 @@ +#!/bin/sh +# +# Regression test for debian bug #749795. Ensure that we fail with +# a error if apt-get source foo will download a source that comes +# from a unauthenticated repository +# +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +# a "normal" package with source and binary +buildsimplenativepackage 'foo' 'all' '2.0' + +setupaptarchive --no-update + +APTARCHIVE=$(readlink -f ./aptarchive) +rm -f $APTARCHIVE/dists/unstable/*Release* + +# update without authenticated InRelease file +testsuccess aptget update + +# this all should fail +testfailure aptget install -y foo +testfailure aptget source foo + +# allow overriding the warning +testsuccess aptget source --allow-unauthenticated foo