Package: apt-listbugs Version: 0.1.16 Severity: wishlist Tags: patch security
apt-listbugs uses an unencrypted connection to communicate with the BTS, leaking information about installed packages and versions. (Note that apt can talk https--and I see 26 Debian mirrors with valid certificates, including mirrors.kernel.org.) This turns out to be trivial to fix--just replace "http:" with "https:". The ruby libraries and the BTS already support it. The attached patch tries to do it properly to avoid breaking any local setups that depend on an unencrypted SOAP connection: * Change the default URL to use https. * Add -u / --url / AptListbugs::URL settings to specify a full URL, including protocol. * Consider -H and -p deprecated; specifying either will trigger the old (unencrypted) behaviour. * Update documentation. - Michael -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: arm64 Kernel: Linux 4.0.0-2-amd64 (SMP w/8 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages apt-listbugs depends on: ii apt 1.0.9.10 ii ruby 1:2.1.5.1 ii ruby-debian 0.3.9+b1 ii ruby-gettext 3.1.2-1 ii ruby-soap4r 2.0.5-3 ii ruby-unicode 0.4.4-2+b4 ii ruby-xmlparser 0.7.3-1+b1 ii ruby1.9.1 [ruby-interpreter] 1.9.3.484-2 ii ruby2.0 [ruby-interpreter] 2.0.0.484+really457-3 ii ruby2.1 [ruby-interpreter] 2.1.5-3 Versions of packages apt-listbugs recommends: ii ruby-httpclient 2.3.3-3.1 Versions of packages apt-listbugs suggests: ii chromium [www-browser] 43.0.2357.130-1 ii debianutils 4.5.1 ii dillo [www-browser] 3.0.5-1 ii elinks [www-browser] 0.12~pre6-10 ii iceweasel [www-browser] 38.1.0esr-3 ii links [www-browser] 2.9-3 ii lynx-cur [www-browser] 2.8.9dev6-3 ii reportbug 6.6.3 ii w3m [www-browser] 0.5.3-22 -- no debconf information
diff -ur apt-listbugs-0.1.16-orig/apt-listbugs apt-listbugs-0.1.16/apt-listbugs --- apt-listbugs-0.1.16-orig/apt-listbugs 2014-08-25 13:41:12.000000000 -0400 +++ apt-listbugs-0.1.16/apt-listbugs 2015-07-16 20:33:43.925422599 -0400 @@ -46,7 +46,7 @@ == USAGE -apt-listbugs [-h] [-v] [-s <severities>] [-T <tags>] [-S <states>] [-B <bug#>] [-D] [-H <hostname>] [-p <port>] [-P <priority>] [-E <title>] [-q] [-C <apt.conf>] [-F] [-y] [-n] [-d] <command> [arguments] +apt-listbugs [-h] [-v] [-s <severities>] [-T <tags>] [-S <states>] [-B <bug#>] [-D] [-u <url>] [-P <priority>] [-E <title>] [-q] [-C <apt.conf>] [-F] [-y] [-n] [-d] <command> [arguments] == OPTIONS @@ -104,14 +104,21 @@ Show bugs of downgraded packages. (apt mode only) +* -u <url>, --url <url> + + Specifies the SOAP URL for the Debian Bug Tracking System + [https://bugs.debian.org:443/cgi-bin/soap.cgi]. The default URL may be + changed by setting the AptListbugs::URL configuration option. + * -H <hostname>, --hostname <hostname> - Specifies the hostname of the Debian Bug Tracking System [bugs.debian.org]. + Specifies the hostname of the Debian Bug Tracking System + (deprecated, and disables https; use --url instead). * -p <port>, --port <port> Specifies the port number of the web interface of the Debian Bug - Tracking System [80]. + Tracking System (deprecated, and disables https; use --url instead). * -P <priority>, --pin-priority <priority> @@ -214,6 +221,10 @@ Useful for setting HTTP proxy for apt-listbugs. The special keyword 'DIRECT' will disable proxy. +: AptListbugs::URL + + Default SOAP URL for the Debian Bug Tracking System. + : AptListbugs::Severities Default (comma-separated) list of bug severities to be shown. When diff -ur apt-listbugs-0.1.16-orig/lib/apt-listbugs/logic.rb apt-listbugs-0.1.16/lib/apt-listbugs/logic.rb --- apt-listbugs-0.1.16-orig/lib/apt-listbugs/logic.rb 2014-08-25 13:41:12.000000000 -0400 +++ apt-listbugs-0.1.16/lib/apt-listbugs/logic.rb 2015-07-16 20:40:29.519387373 -0400 @@ -42,6 +42,12 @@ QUERYBTS = "/usr/bin/querybts" WWW_BROWSER = "/usr/bin/www-browser" SENSIBLE_BROWSER = "/usr/bin/sensible-browser" + DEFAULT_URL = "https://bugs.debian.org:443/cgi-bin/soap.cgi" + # The default hostname and port are for backwards compatibility, + # and won't be used if neither --hostname nor --port is specified. + # They don't support https, so --url is preferred. + DEFAULT_HOSTNAME = "bugs.debian.org" + DEFAULT_PORT = 80 def usage $stderr.print _("Usage: "), File.basename($0), @@ -56,8 +62,7 @@ sprintf(_(" -S <states> : Filter bugs by pending-state categories you want to see\n [%s].\n"), @stats.join(',')), _(" -B <bug#> : Filter bugs by number, showing only the specified bugs.\n"), _(" -D : Show downgraded packages, too.\n"), - sprintf(_(" -H <hostname> : Hostname of Debian Bug Tracking System [%s].\n"), @hostname), - sprintf(_(" -p <port> : Port number of the server [%s].\n"), @port), + sprintf(_(" -u <url> : SOAP URL for Debian Bug Tracking System [%s].\n"), DEFAULT_URL), sprintf(_(" -P <priority> : Pin-Priority value [%s].\n"), @pin_priority), _(" -E <title> : Title of RSS output.\n"), _(" -q : Don't display progress bar.\n"), @@ -86,8 +91,9 @@ ["done", _("Resolved in some Version")]] @fbugs = nil @show_downgrade = false - @hostname = "bugs.debian.org" - @port = 80 + @soapurl = nil + @hostname = nil + @port = nil @parsestep = 200 @quiet = false @command = nil @@ -149,6 +155,7 @@ ['--stats', '-S', GetoptLong::REQUIRED_ARGUMENT], ['--bugs', '-B', GetoptLong::REQUIRED_ARGUMENT], ['--show-downgrade', '-D', GetoptLong::NO_ARGUMENT], + ['--url', '-u', GetoptLong::REQUIRED_ARGUMENT], ['--hostname', '-H', GetoptLong::REQUIRED_ARGUMENT], ['--port', '-p', GetoptLong::REQUIRED_ARGUMENT], ['--pin-priority', '-P', GetoptLong::REQUIRED_ARGUMENT], @@ -185,6 +192,8 @@ @fbugs = optargs.split(',') when '--show-downgrade' @show_downgrade = true + when '--url' + @soapurl = optargs when '--hostname' @hostname = optargs when '--port' @@ -280,8 +289,30 @@ exit 1 end + if @soapurl == nil + if @hostname == nil && @port == nil + if /soapurl='(.*)'/ =~ `apt-config #{@apt_conf} shell soapurl AptListbugs::URL` + @soapurl = $1 + else + @soapurl = DEFAULT_URL + end + else + if @hostname == nil + @hostname = DEFAULT_HOSTNAME + end + if @port == nil + @port = DEFAULT_PORT + end + @soapurl="http://#{@hostname}:#{@port}/cgi-bin/soap.cgi" + end + else + if @hostname != nil || @port != nil + $stderr.puts _("W: ") + _("hostname and port options were overridden by a URL option.") + end + end + @parser = - Debian::BTS::Parser::SoapIndex.new(@hostname, @port) + Debian::BTS::Parser::SoapIndex.new(@soapurl) if FileTest.executable?("#{QUERYBTS}") @querybts = QUERYBTS diff -ur apt-listbugs-0.1.16-orig/lib/debian/bts.rb apt-listbugs-0.1.16/lib/debian/bts.rb --- apt-listbugs-0.1.16-orig/lib/debian/bts.rb 2014-08-25 13:41:12.000000000 -0400 +++ apt-listbugs-0.1.16/lib/debian/bts.rb 2015-07-16 19:10:08.463611531 -0400 @@ -31,23 +31,21 @@ module BTS class Parser - def initialize(host, port) - @host = host - @port = port + def initialize(url) + @soapurl = url end # use SOAP interface to obtain the index. class SoapIndex < Parser - def initialize(host, port) - @host = host - @port = port + def initialize(url) + @soapurl = url @indexes = {} @buf = nil end def parse_bug(bugnum) require 'debian/btssoap' - soap = Debian::BTSSOAP::Soap.new(@host, @port) + soap = Debian::BTSSOAP::Soap.new(@soapurl) sa = Debian::BTSSOAP::StringArray.new # query the BTS about the given bug number @@ -58,7 +56,7 @@ def parse(ma_copies, parsestep, severities = ["critical", "grave"]) require 'debian/btssoap' - soap = Debian::BTSSOAP::Soap.new(@host, @port) + soap = Debian::BTSSOAP::Soap.new(@soapurl) sa = Debian::BTSSOAP::StringArray.new bugs = Debian::Bugs.new diff -ur apt-listbugs-0.1.16-orig/lib/debian/btssoap.rb apt-listbugs-0.1.16/lib/debian/btssoap.rb --- apt-listbugs-0.1.16-orig/lib/debian/btssoap.rb 2014-08-25 13:41:12.000000000 -0400 +++ apt-listbugs-0.1.16/lib/debian/btssoap.rb 2015-07-16 19:18:06.512542474 -0400 @@ -23,8 +23,8 @@ module BTSSOAP class StringArray < Array; end class Soap - def initialize(host = "bugs.debian.org", port = 80) - @server="http://#{host}:#{port}/cgi-bin/soap.cgi" + def initialize(soapurl) + @server=soapurl @ns = 'Debbugs/SOAP/' @drv = SOAP::RPC::Driver.new(@server, @ns) @drv.wiredump_dev = STDOUT if $DEBUG
signature.asc
Description: Digital signature