Bug#754041: apt-get build-dep pkgname no longer secure when cwd=/tmp
On Sun, Jul 06, 2014 at 11:49:26PM +0200, Jakub Wilk wrote: Package: apt Version: 1.1~exp1 Severity: minor Tags: security Thanks for your bugreport. First of all, thanks for bringing new exciting features to apt! I'm afraid, however, that one of these features, namely * add support for apt-get build-dep unpacked-source-dir brought an unanticipated security regression. Consider the following command: # apt-get build-dep nyancat It used to be safe to execute it regardless of what your working directory was. But in apt_1.1~exp1, this is no longer secure if cwd is a world-writable, for example /tmp. A local malicious user could create crafted /tmp/nyancat/debian/control, tricking apt into installing packages of their choice. Or they could symlink /tmp/nyancat/debian/control to /dev/urandom... Good point, thanks a lot for bring this to our attention. I changed the code now so that it prints when using a file/directory so that the user is aware of it (as suggested by David). And as you suggested it now enforces that it needs a path starting with ./ or /. Thanks, Michael -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.14-1-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apt depends on: ii debian-archive-keyring 2012.4 ii gnupg 1.4.18-1 ii libapt-pkg4.13 1.1~exp1 ii libc6 2.19-4 ii libgcc1 1:4.9.0-10 ii libstdc++6 4.9.0-10 -- Jakub Wilk -- To UNSUBSCRIBE, email to deity-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140706214926.ga8...@jwilk.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#754041: apt-get build-dep pkgname no longer secure when cwd=/tmp
On Sun, Jul 06, 2014 at 11:49:26PM +0200, Jakub Wilk wrote: # apt-get build-dep nyancat Even if we ignore security for a moment I am not a fan of this syntax as it is too suprising for me. I think I would be happier if this would always require a relative/absolute path rather than just a directory name ala: apt-get build-dep ./nyancat (aka: at least one / in the pkgname before a file lookup is attempt. And a message like those for regex/glob if it matched anything) This also 'solves' the security problem by letting the user decide how secure she wants to be. (I haven't looked at the code though, yet) Best regards David Kalnischkies signature.asc Description: Digital signature
Bug#754041: apt-get build-dep pkgname no longer secure when cwd=/tmp
* David Kalnischkies da...@kalnischkies.de, 2014-07-07, 23:32: # apt-get build-dep nyancat Even if we ignore security for a moment I am not a fan of this syntax as it is too suprising for me. I don't like it either. :) I think I would be happier if this would always require a relative/absolute path rather than just a directory name ala: apt-get build-dep ./nyancat (aka: at least one / in the pkgname before a file lookup is attempt. And a message like those for regex/glob if it matched anything) Note that this was valid syntax in apt ( 1.1): # apt-get build-dep nyancat/unstable So we might need a stricter rule than at least one / Perhaps something like this: the argument must start with ./ or start with / or end with / to be considered a directory name? -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#754041: apt-get build-dep pkgname no longer secure when cwd=/tmp
Package: apt Version: 1.1~exp1 Severity: minor Tags: security First of all, thanks for bringing new exciting features to apt! I'm afraid, however, that one of these features, namely * add support for apt-get build-dep unpacked-source-dir brought an unanticipated security regression. Consider the following command: # apt-get build-dep nyancat It used to be safe to execute it regardless of what your working directory was. But in apt_1.1~exp1, this is no longer secure if cwd is a world-writable, for example /tmp. A local malicious user could create crafted /tmp/nyancat/debian/control, tricking apt into installing packages of their choice. Or they could symlink /tmp/nyancat/debian/control to /dev/urandom... -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.14-1-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apt depends on: ii debian-archive-keyring 2012.4 ii gnupg 1.4.18-1 ii libapt-pkg4.13 1.1~exp1 ii libc6 2.19-4 ii libgcc1 1:4.9.0-10 ii libstdc++6 4.9.0-10 -- Jakub Wilk -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org