Package: apt-offline
Version: 1.7.2
Severity: serious
Tags: security

Dear Maintainer,

apt-offline claims to do gpg validation of the contents of the zip file and
claims that this is an important thing for it to do.

         Don't  verify  GPG signatures for the data to be installed to APT.
         Usage of this option is highly discouraged.

However, it appears that apt-offline only verifies the GPG signature on the
Release file. If that check passes, then it is assumed that all referenced
resources (Packages files) are OK and apt-offline does not check that the
hashes for the Packages files are indeed correct. These Packages files are
then fed directly to apt. Once apt has been fed a manipulated Packages file,
it will then trust the .deb packages that it refers to.

One can take a zip bundle, decompress it, alter the Packages file and the 
file was no rejected by "apt-offline install".

It seems that the existing GPG check of the Release file is rather pointless
and gives a false sense of security validation. Either the has been
securely handled all along and the GPG check is unnecessary, or has
not been securely handled and it is incorrectly trusted.


-- System Information:
Debian Release: 9.1
  APT prefers proposed-updates
  APT policy: (550, 'proposed-updates'), (500, 'stable-debug'), (500, 
'stable'), (60, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apt-offline depends on:
ii  apt                                    1.4.7
ii  less                                   481-2.1
ii  libpython2.7-stdlib [python-argparse]  2.7.13-2
ii  python                                 2.7.13-2
ii  python-magic                           1:5.30-1

Versions of packages apt-offline recommends:
ii  debian-archive-keyring  2017.5
ii  python-lzma             0.5.3-3
ii  python-soappy           0.12.22-1

apt-offline suggests no packages.

-- no debconf information

Reply via email to