Bug#545900: pbuilder uses debootstrap in am insecure way
tag 545900 + confirmed stop On Wed, Sep 09, 2009, Christoph Anton Mitterer wrote: I've seen that you cache packages in /var/cache/pbuilder/aptcache How are these retrieved? Are they verified against the archive keyrings? pbuilder has historically passed Aptitude::CmdLine::Ignore-Trust-Violations=true when installing packages with aptitude and -y --force-yes when installing packages with apt-get, so missing or incorrect signatures wont prevent a package from being installed. -- Loïc Minier -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#545900: pbuilder uses debootstrap in am insecure way
On Wed, 2009-12-30 at 11:44 +0100, Loïc Minier wrote: pbuilder has historically passed Aptitude::CmdLine::Ignore-Trust-Violations=true when installing packages with aptitude and -y --force-yes when installing packages with apt-get, so missing or incorrect signatures wont prevent a package from being installed. I'd suggest to change this behaviour to something more secure ;) Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#545900: pbuilder uses debootstrap in am insecure way
Known bug and duplicate, check the BTS. At Wed, 09 Sep 2009 23:15:51 +0200, Christoph Anton Mitterer wrote: Package: pbuilder Version: 0.189 Severity: important Tags: security Hi. debootstrap (unlike cdebootstrap IIRC) does not check signatures on any packages per default, but only when the --keyring option is used. This has the potential security problem, that users are building (and thus executing code) that is not verified. I would suggest that you at least add a: DEBOOTSTRAPOPTS=--keyring=/set-this-file to the default template. But this still is,.. well not a good solution, so I'd suggest the following: 1) Add options to pbuilder itself: - A mandatory --keyring= option to specify the keyring to be used and that is passed on to [c]debootstrab - A option like --do-not-verify-signatures (including some warnings that this is dangerous),.. and only if this is set,... --keyring may be omitted. 2) If nothing off the above is specified, pbuilder should fail. I'm not sure about the following: - As pbuilder installs stuff inside the already bootstrapped chroot, there may be additional possibilities for insecure packages. But I assume you use always apt there, right? And this should use keys,.. well at least with deboostrap they're copied into the chroot (IIRC),... not sure about cdebootstrap. - Is this already a problem with current build daemons or whatever? And should we inform those guys on this problem? Regards, Chris. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-heisenberg (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages pbuilder depends on: ii coreutils 7.5-4 GNU core utilities ii debconf [debconf-2.0] 1.5.27 Debian configuration management sy ii debianutils 3.2.1 Miscellaneous utilities specific t ii debootstrap 1.0.15 Bootstrap a basic Debian system ii wget 1.11.4-4 retrieves files from the web Versions of packages pbuilder recommends: ii devscripts2.10.54scripts to make the life of a Debi ii fakeroot 1.13 Gives a fake root environment ii sudo 1.7.2p1-1 Provide limited super user privile Versions of packages pbuilder suggests: pn cowdancer none (no description available) pn gdebi none (no description available) pn pbuilder-uml none (no description available) -- debconf information: * pbuilder/mirrorsite: ftp://ftp.de.debian.org/debian/ pbuilder/nomirror: * pbuilder/rewrite: false This message was sent using IMP, the Internet Messaging Program. ___ Pbuilder-maint mailing list pbuilder-ma...@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pbuilder-maint -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#545900: pbuilder uses debootstrap in am insecure way
Package: pbuilder Version: 0.189 Severity: important Tags: security Hi. debootstrap (unlike cdebootstrap IIRC) does not check signatures on any packages per default, but only when the --keyring option is used. This has the potential security problem, that users are building (and thus executing code) that is not verified. I would suggest that you at least add a: DEBOOTSTRAPOPTS=--keyring=/set-this-file to the default template. But this still is,.. well not a good solution, so I'd suggest the following: 1) Add options to pbuilder itself: - A mandatory --keyring= option to specify the keyring to be used and that is passed on to [c]debootstrab - A option like --do-not-verify-signatures (including some warnings that this is dangerous),.. and only if this is set,... --keyring may be omitted. 2) If nothing off the above is specified, pbuilder should fail. I'm not sure about the following: - As pbuilder installs stuff inside the already bootstrapped chroot, there may be additional possibilities for insecure packages. But I assume you use always apt there, right? And this should use keys,.. well at least with deboostrap they're copied into the chroot (IIRC),... not sure about cdebootstrap. - Is this already a problem with current build daemons or whatever? And should we inform those guys on this problem? Regards, Chris. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-heisenberg (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages pbuilder depends on: ii coreutils 7.5-4 GNU core utilities ii debconf [debconf-2.0] 1.5.27 Debian configuration management sy ii debianutils 3.2.1 Miscellaneous utilities specific t ii debootstrap 1.0.15 Bootstrap a basic Debian system ii wget 1.11.4-4 retrieves files from the web Versions of packages pbuilder recommends: ii devscripts2.10.54scripts to make the life of a Debi ii fakeroot 1.13 Gives a fake root environment ii sudo 1.7.2p1-1 Provide limited super user privile Versions of packages pbuilder suggests: pn cowdancer none (no description available) pn gdebi none (no description available) pn pbuilder-uml none (no description available) -- debconf information: * pbuilder/mirrorsite: ftp://ftp.de.debian.org/debian/ pbuilder/nomirror: * pbuilder/rewrite: false This message was sent using IMP, the Internet Messaging Program. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#545900: pbuilder uses debootstrap in am insecure way
May I add: I've seen that you cache packages in /var/cache/pbuilder/aptcache How are these retrieved? Are they verified against the archive keyrings? Cheers, Chris. This message was sent using IMP, the Internet Messaging Program. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org