Your message dated Mon, 19 Jan 2015 07:18:39 +0000
with message-id <e1yd6bf-0002fs...@franck.debian.org>
and subject line Bug#774838: fixed in weboob 1.0-3
has caused the Debian Bug report #774838,
regarding weboob: insecure keyring handling
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
774838: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774838
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: weboob
Version: 1.0-2
Severity: grave
Tags: security
Justification: security hole
Hi,
the keyring handling when adding a remote repository is… scary. Quoting
weboob/core/repositories.py:
| if not keyring.exists() or self.key_update > keyring.version:
| # This is a remote repository, download file
| try:
| keyring_data = browser.open(posixpath.join(self.url,
self.KEYRING)).content
| sig_data = browser.open(posixpath.join(self.url, self.KEYRING
+ '.sig')).content
| except BrowserHTTPError as e:
| raise RepositoryUnavailable(unicode(e))
| if keyring.exists():
| if not keyring.is_valid(keyring_data, sig_data):
| raise InvalidSignature('the keyring itself')
| print('The keyring was updated (and validated by the previous
one).')
| else:
| print('First time saving the keyring, blindly accepted.')
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
!!!
| keyring.save(keyring_data, self.key_update)
| print(keyring)
I would expect the Debian packages to contain some kind of trust chain
to bootstrap the keyring handling, and weboob to abort instead of
“blindly accepting” in other cases.
Mraw,
KiBi.
--- End Message ---
--- Begin Message ---
Source: weboob
Source-Version: 1.0-3
We believe that the bug you reported is fixed in the latest version of
weboob, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 774...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Romain Bignon <rom...@symlink.me> (supplier of updated weboob package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 18 Jan 2015 16:07:58 +0100
Source: weboob
Binary: python-weboob python-weboob-core weboob weboob-qt
Architecture: source all
Version: 1.0-3
Distribution: unstable
Urgency: medium
Maintainer: Romain Bignon <rom...@symlink.me>
Changed-By: Romain Bignon <rom...@symlink.me>
Description:
python-weboob - Weboob, Web Out Of Browsers - library
python-weboob-core - transitional dummy package
weboob - CLI applications to interact with websites
weboob-qt - Qt applications to interact with websites
Closes: 774838
Changes:
weboob (1.0-3) unstable; urgency=medium
.
*debian/patches/0004-prompt-user-to-accept-an-untrusted-keyring.patch:
prompt user to accept an untrusted keyring when updating repositories
(Closes: #774838).
Checksums-Sha1:
a71637062ee1848437924b91ebb9a629586a92e2 2047 weboob_1.0-3.dsc
837ef5365e7247f56d4e9edc87b2ad9cbfad7ccd 23448 weboob_1.0-3.debian.tar.xz
4e6b00ea7d0f98a0c92b842ab01643248058657c 185794 python-weboob_1.0-3_all.deb
665076c4e96f183816557404ce510080d60ec7b4 47020 python-weboob-core_1.0-3_all.deb
8466f16dd248fe9cb3a9196a30859d51d5b93416 437156 weboob_1.0-3_all.deb
6203157ea9e2672ff7ae5bcf1d259dff9b7a2d78 183130 weboob-qt_1.0-3_all.deb
Checksums-Sha256:
07ffd36605c0447ca5f10dffb679b36352c784849e5db774f25adfb71a892e42 2047
weboob_1.0-3.dsc
ffe0b126eb20d83c706993c96a6b479aa844eb01d56e1edf26a855437eab56ab 23448
weboob_1.0-3.debian.tar.xz
0b6b3de0b44a08c2c0e701e1a16945a2aeab673e65e69dca4b90a0797f3055a3 185794
python-weboob_1.0-3_all.deb
01d4acbe7e195c5c7e75840c906a99b64b4c2fd1cfe98dfaccd401b77b45d641 47020
python-weboob-core_1.0-3_all.deb
caf8fdba3e90f3885e6a60f3a5058662e3c2226289297e2e64aaec9f01d31c32 437156
weboob_1.0-3_all.deb
fd5c137e8f9835a980a337d775b8adab69d9fbf318895bb87a2fc4874517dc6e 183130
weboob-qt_1.0-3_all.deb
Files:
cd775ae5f79dab97359f6a3469a1f662 2047 python optional weboob_1.0-3.dsc
f4e36acba6c652d92e6d417424806e87 23448 python optional
weboob_1.0-3.debian.tar.xz
3a35dcd6604bbcfaec2cd9f590fc4221 185794 python optional
python-weboob_1.0-3_all.deb
ab1ed9c5c26f9f4dd1c69377da6de474 47020 oldlibs optional
python-weboob-core_1.0-3_all.deb
c58d31a8f30a5b34674f267efe6b3419 437156 python optional weboob_1.0-3_all.deb
f6e7a17f5f947c52fe558c5bad229349 183130 python optional weboob-qt_1.0-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJUvK4ZAAoJEAVcSzX////+8T4P/icPnBLZl86dODe0RmN9m11T
6/ynj4m6vGaACrRXA9H71eSQidPekCBQvgo+7cI/WgP3QGB/pF/+2MpS3S87oDDK
CjGgCy0ew9zLV5vF55fujxn8t6SjGoWeG8w5cj6kDrBL3S7Itu2iGAYUkAxsFMfR
cooKHejDV04/8iAM1f4TQ/5NPIfNxhDMuySWba0A0pk8oKUfhcPh4kdMSkPEWwkg
S4nYa4ozsS50+/PGn3tQfBvrcSlfcdX/radr7OVIHftQo3zv2UHd/64KoTPcj1R6
pi0TQXZlDfHvwBr1Ek5BRyBFU7yOjd8d0/mxFInWzQgoqtmuLOF8Q+0Gxow92Hh9
xbCyNDWxu0uZr5gnplfesjYdWCcFdtPus8SzEwbPdWX2RKQWEiX2TaBzOtov1hc/
viTB/b7TtUlIIKiLlS6mGTzB3qpO1vA9aBtNoNKSJ+Z5UOOmlLyLURC+H2iQet8X
bWbiltV41wN1jlxd2FccOSRcMW6DH9gfnXNlErbeyQ/JlBpjLef0uHJlOPJzRatB
LUFUOA69hndxy44zH19/TE97z1PFhrMgY1vJRlKbt3F2xecmxMutdl0PM9kSINCz
BpEJyiIH7uAY9ooPgP4xRZhQBIW34Xl1ORExW7zC9HPjAisZ2Td9egvMCFXJxNbT
Ls1s9mQ+4VWlPjJNey/6
=MJC3
-----END PGP SIGNATURE-----
--- End Message ---
