I reviewed debsig-verify version 0.10 as checked into utopic. This shouldn't be considered a full security audit, but rather a quick gauge of maintainability.
debsig-verify is awkward. Extensive use is made of global state and much of the program logic depends upon side-effects to this global state, sometimes in function calls that happened thirty lines previously. It would be extremely difficult to write function-level unit tests for this program. debsig-verify uses some library routines from dpkg; while I inspected these calls and didn't see a problem, I must point out that dpkg was only ever designed to handle packages that already passed the usual hash-and-signatures check provided by apt and may not be suitable for use on untrusted input. debsig-verify is taking a risk that the dpkg implementations of these functions will not become a danger in the future, even assuming they are fine today. The following must be corrected before we can rely upon debsig-verify: - Makefile tries to set -Wall, but it isn't used, obvious warnings are missing - getSigKeyID() no error checks on fork() - getSigKeyID() no error checks on t = fread(buf, 1, sizeof(buf), deb_fs); - getSigKeyID() can be tricked into an infinite loop, no feof checks - gpgVerify() no error checks on fork() Because the signatures are embedded in the .deb files, necessarily only certain sections are measured: debian-binary control.tar control.tar.gz control.tar.xz data.tar data.tar.gz data.tar.xz data.tar.bz2 data.tar.lzma - Possibly it will copy different objects with these names than 'ar' or 'dpkg' will use when installing the package. - Installing a package will require at least twice the package size in free space before starting the process because a copy is made Test cases should be prepared with member filenames including trailing spaces, leading spaces, trailing / chars, etc. (I have not inspected how 'ar' or 'dpkg' unpack .deb files; if they similarly rewind the file before unpacking named sections they will likely extract the same sections that debsig-verify extracts. If they don't rewind for each section they may unpack different sections.) A "polyglot" test package with multiple control tarballs or data tarballs should be tested as well to ensure the measured sections are the ones chosen for installing. I believe these may not be expected behaviours but they wouldn't be under control of potentially malicious entities: - verifyGroupRules() looks like it requires negative grp->min_opt in order for only mandatory match groups to suffice - checkSelRules() looks like it requires negative grp->min_opt in order for only mandatory match groups to suffice The following surprising facts are consequences of the broken CFLAGS handling in the Makefile: - getSigKeyID() 'deb' parameter is unused - checkSelRules() 'deb' parameter is unused - checkSelRules() 'deb' parameter shadows global 'deb' declaration - verifyGroupRules() 'deb' parameter shadows global 'deb' declaration It would be nice to fix these before shipment just so the presence of these parameters won't be surprising in maintenance but they are unlikely to be a harm at the moment. And potentially surprising, 'gpg' looks like it may be executed often: - verifyGroupRules() executes gpg via getKeyID() and getSigKeyID() potentially many times before performing the ultimate verification debsig-verify is a significant complexity jump compared to using gpg to verify a detached signature; debsig-verify's extra complexity is largely due to three features: - embedding the signature in the .deb - an xml-based policy environment that delivers keys and - describes allowed and forbidden package types for those specific keys. If we don't care about these three specific features we should use something simpler. If one of these features will be useful, then we can make debsig-verify work but I don't think it is ready for handling malicious packages yet. Thanks ** Changed in: debsig-verify (Ubuntu) Assignee: Seth Arnold (seth-arnold) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1358272 Title: [MIR] debsig-verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs