Package: pbuilder Version: 0.196 Severity: grave Tags: security Justification: user security hole
Hi, pbuilder will by default install packages from untrusted sources. This means the system can be compromised by a man in the middle providing malicious packages. There also seems no way to get pbuilder to stop doing so. pbuilder should (in the default configuration) not install packages that are not trusted, only when the user explicitly requests this explicitly. Also when creating the chroot with debootstrap, the --keyring option should be used so that debootstrap will check for a valid signature. Regards, Ansgar -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org