Bug#871656: marked as done (apt-offline: Does not validate Packages or .deb files in bundle)

Sun, 09 Feb 2020 06:51:34 -0800 

Your message dated Sun, 09 Feb 2020 14:47:57 +0000
with message-id <e1j0nsl-00097d...@fasolo.debian.org>
and subject line Bug#871656: fixed in apt-offline 1.8.2-1
has caused the Debian Bug report #871656,
regarding apt-offline: Does not validate Packages or .deb files in bundle
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
871656: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871656
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: apt-offline
Version: 1.7.2
Severity: serious
Tags: security

Dear Maintainer,

apt-offline claims to do gpg validation of the contents of the zip file and
claims that this is an important thing for it to do.

    --allow-unauthenticated
         Don't  verify  GPG signatures for the data to be installed to APT.
         Usage of this option is highly discouraged.

However, it appears that apt-offline only verifies the GPG signature on the
Release file. If that check passes, then it is assumed that all referenced
resources (Packages files) are OK and apt-offline does not check that the
hashes for the Packages files are indeed correct. These Packages files are
then fed directly to apt. Once apt has been fed a manipulated Packages file,
it will then trust the .deb packages that it refers to.

One can take a zip bundle, decompress it, alter the Packages file and the 
altered
file was no rejected by "apt-offline install bundle.zip".

It seems that the existing GPG check of the Release file is rather pointless
and gives a false sense of security validation. Either the bundle.zip has been
securely handled all along and the GPG check is unnecessary, or bundle.zip has
not been securely handled and it is incorrectly trusted.

regards
Stuart


-- System Information:
Debian Release: 9.1
  APT prefers proposed-updates
  APT policy: (550, 'proposed-updates'), (500, 'stable-debug'), (500, 
'stable'), (60, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt-offline depends on:
ii  apt                                    1.4.7
ii  less                                   481-2.1
ii  libpython2.7-stdlib [python-argparse]  2.7.13-2
ii  python                                 2.7.13-2
ii  python-magic                           1:5.30-1

Versions of packages apt-offline recommends:
ii  debian-archive-keyring  2017.5
ii  python-lzma             0.5.3-3
ii  python-soappy           0.12.22-1

apt-offline suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: apt-offline
Source-Version: 1.8.2-1

We believe that the bug you reported is fixed in the latest version of
apt-offline, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 871...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ritesh Raj Sarraf <r...@debian.org> (supplier of updated apt-offline package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 07 Feb 2020 18:46:29 +0530
Source: apt-offline
Architecture: source
Version: 1.8.2-1
Distribution: unstable
Urgency: medium
Maintainer: Ritesh Raj Sarraf <r...@debian.org>
Changed-By: Ritesh Raj Sarraf <r...@debian.org>
Closes: 871656 871664 880985 931517 945628
Changes:
 apt-offline (1.8.2-1) unstable; urgency=medium
 .
   [ Matthias Blümel ]
   * support https client-authentication
   * extend manpage and bash-completion parameters for https
     client-authentication
   * implement option to disable https server certificate checks
 .
   [ Paul Wise ]
   * Remove generated files from git and create them at build time.
 .
   [ Ritesh Raj Sarraf ]
   * New Release version 1.8.2 (Closes: #871656)
   * Add warning for missing lzma module (Closes: #880985)
   * Fix new testing-security repository name.
     Thanks to Paul Wise (Closes: #931517)
   * Drop some python2 based recommends.
     Thanks to Sandro Tosi (Closes: #945628)
   * Update Vcs Entry and also update Build Dependencies
   * Call make for actual build
   * Update debhelper compatibility to 12
   * Drop obsolete X-Python3-Version field
   * Update Standards Version to 4.4.1
   * Add field Rules-Requires-Root: no
   * Enhance policykit integration
   * Install the apt-offline-gui-pkexec script to usr/bin/
   * Demote --simulate from global option to sub-option for install and set 
commands
     (Closes: #871664)
   * Do not touch apt system files in simulate mode
   * Also update the manpage about demotion of the simulate option
   * Switch to 3.0 (quilt) source format
   * Update debian/gbp.conf about switch to 3.0 (quilt) source format
 .
   [ Patryk Wychowaniec ]
   * Properly parse the command and its output.
     Thanks to Patryk Wychowaniec
 .
   [ Rafael Leira Osuna ]
   * added http-basic support
Checksums-Sha1:
 9786d197ae67efa87bdb452ff2e7d22f64206307 1997 apt-offline_1.8.2-1.dsc
 99ef82b9844b42ef300604ad38d79dd921721648 97030 apt-offline_1.8.2.orig.tar.gz
 dacf5fd2cd03812d354e8d676af4956b1389f29b 8188 apt-offline_1.8.2-1.debian.tar.xz
Checksums-Sha256:
 b965498c87af947ca054f022fcaedc920c8b2a5dd81f13ff74cfe009f4437d36 1997 
apt-offline_1.8.2-1.dsc
 a1352450d046161d848fb31c70a2243ebf3154b61e7a24d2ffacb57c13a06038 97030 
apt-offline_1.8.2.orig.tar.gz
 2d77f519882c8311f815d4b4eec3ef81e20e1707a0bc0aa392ca6d42d0a0d5a9 8188 
apt-offline_1.8.2-1.debian.tar.xz
Files:
 df9753deb3bb0c4a394aa26242b4ac70 1997 admin optional apt-offline_1.8.2-1.dsc
 be4908f88886bf9effdf688fa692fc14 97030 admin optional 
apt-offline_1.8.2.orig.tar.gz
 2454241f55cd9258c4d72fbb67eaa620 8188 admin optional 
apt-offline_1.8.2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEQCVDstmIVAB/Yn02pjpYo/LhdWkFAl5AF+cACgkQpjpYo/Lh
dWlHGQ/+LT2BoZn0OGe8fNbu5zYyVOPb8UN3+vnCWu5+FLO9s3oBwgx0o7NfmHMy
mRbnpoRJbWztk8UzXgQLphXGBLRkIt/3sUIXlx+HjcIBtgFdaaCCUIe0OPk8a5s4
u+hbmWtToHOP10sj8uvR98Sin+LcmxfvB8chz9zaYcpry8z5WXLpWRsyJ5v/jy6F
hT71ecRNmWmIuArMY7GQme9XIYWOx+66Dh8bSJ60pTO1Gz48524PFecWKxwCkmrq
5h0mLsCLbbO1b7vzBzv7OnLFqKKOURE5UsEtPbMQAErvRW6fMRakkz/iCeSSRAyZ
k2Qpw4LFohHeacuaTT748s9e3C4HN1lhNpgSPRy8pXBrCcOTIV1wDXEvvg1chTwx
+oBGJTNnTpEnYHp1AIPjXgkqW2TIZbG/mQZ64CieUCi/+xIYZ5u30ORy52+GvU1x
3nVBFyV3Z0NVFyj8tHlEXY7ENItdnezGU2LpzLBYwfZSup8Nll90P56pvj1WcEzS
Mm7G5vOVLDwp+TDhNO9VQz918zUxrkPfO2+7d1zNCZ+PzqaboyM1L4Qooyvn/AG+
wxMptNIMJdhSbAyiQKL1KHzVmB00dxKR2zmNC3UD0a5XgaRMEWr5UG01WoKF+bRP
OKVzG5aX7n4Ig0BAtD3PE/nfBiZRgOdqAn+j2kWpN/jsAPHlqqs=
=vZyP
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to