Control: tags -1 - security On Fri, Sep 26, 2014 at 1:59 AM, Evgeny Kapun <[email protected]> wrote: > Package: apt > Version: 0.9.7.9+deb7u1 > Tags: security > > When running `apt-get update`, I noticed that it couldn't update some of the > lists because of invalid signatures (BADSIG). This happens most frequently > when `Release` files don't correspond to `Release.gpg`. I thought that it > might be some caching issue, so I removed all files from > `/var/lib/apt/lists/partial`, and the problem disappeared. > > I think that this should happen automatically. Some wrong data might get > cached for various reasons, and it's wrong if manual intervention is required > to make apt-get work again. I think that in case of verification errors, such > as bad signature, hash mismatch, expired Release file, etc, apt-get should > download all files that may cause the error without using cached data. For > example, in case of hash mismatch for a list file it should download both > that file and the Release file with its hash, as the error can be caused by > any of them. If Release file is re-downloaded, Release.gpg should be > re-downloaded too, and the signature should be re-checked. > > Bottom line: wrong data in the (unverified) cache should not prevent apt-get > from working. > > Marking this as a security issue because an attacker can poison cache just > once to prevent unattended-upgrade from working.
We verify the data before moving it to the final directory. If it is there, it is either valid, or we have no key for it, or it is unsigned (the latter two will disappear / be disabled at some point I think). We had some issues where that validation succeeded where it should not (for example, on proxies returning a 200 OK page html page for every request, because the parser would not have any signatures to check then). They should be fixed now in newer releases I think. If you have a concrete issue, it would be great if you let us know, but this bug is too generic. And re-verification is too expensive to do anyway. -- Julian Andres Klode - Debian Developer, Ubuntu Member See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
