Package: apt
Version: 0.8.15.10
Severity: important
Hi.
I did some non-systematic tests on secure APT (with partially shocking results).
The following is at least true, for the download action of apt (and I guess
therefore of aptitude, too), perhaps for other actions (and or option
combinations,
in which verifications should happen, too)
It does not give an error and exit code = 0 when the verification of the
downloaded
file fails.
The check seems however to actually take place, cause if I modify the hashsums
in e.g. ftp.de.debian.org_debian_dists_unstable_main_binary-amd64_Packages for
the base-files binary package and I do an:
$ apt-get download base-files
Get:1 Downloading base-files 6.7 [69,4 kB]
Fetched 69,4 kB in 0s (134 kB/s)
All I get is:
l
total 78k
drwxr-xr-x 2 calestyo calestyo 4,1k Mar 27 03:00 .
drwx------ 6 calestyo calestyo 4,1k Mar 27 02:41 ..
-rw-r--r-- 1 calestyo calestyo 70k Mar 4 01:17 base-files_6.7_amd64.deb.FAILED
Generally I think that all kinds of verification errors should be treated as
(most
severe) errors (not just warnings) and that the exit status should be non-zero.
Best would be to have special exit-code, that denotes that potential security
issues
occured.
In the above case, renaming the file to .FAILED may seem enough, but one can
never
know how the users uses the system, and perhaps relies on failed exit statuses.
Or imagine a (though stupid) script that downloads the .deb to a temp dir and
takes the only file of that dir (regardless of the .FAILED) and e.g. installs
it.
I mean this would be badly written code, but we really should try to protect
even
such cases, especailly when this is easily possible.
Cheers,
Chris.
btw: Perhaps someone can explain this:
I traced the process and get the following:
stat("/var/lib/apt/lists/ftp.de.debian.org_debian_dists_unstable_Release.gpg",
0x7fff750b4670) = -1 ENOENT (No such file or directory)
stat("/var/lib/apt/lists/_srv_local-package-archive_dists_unstable_Release.gpg",
{st_mode=S_IFREG|0644, st_size=836, ...}) = 0
So while there is a Release.gpg for my local archive, there is none for
Debian's.
Why and is this a security problem?
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
