Re: [DNG] [cor...@debian.org: [SECURITY] [DSA 4371-1] apt security update]
On Thu, Jan 24, 2019 at 01:13:31PM +0100, Alexander Bochmann wrote: > ...on Wed, Jan 23, 2019 at 11:54:10PM +0100, KatolaZ wrote: > > > explained in the email I forwarded. Or, if you trust Devuan, to use > > pkgmaster.devuan.org in your sources.list (that one is the master > > Devuan repo, and is on a machine to which only a reduced number of > > Using the usual deb.devuan.org, I've seen this once during my > last ascii update: > > Get:1 http://packages.roundr.devuan.org/merged jessie InRelease [21.8 kB] > > Is that something that's expected? > Dear Alex, InRelease files get regerated (and re-signed) by amprolla at every merge. So they can definitely change from time to time, especially when there is a security update, as it is the case (notice that the apt bug has been fixed in jessie as well, as per https://security-tracker.debian.org/tracker/CVE-2019-3462) HTH KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [cor...@debian.org: [SECURITY] [DSA 4371-1] apt security update]
...on Wed, Jan 23, 2019 at 11:54:10PM +0100, KatolaZ wrote: > explained in the email I forwarded. Or, if you trust Devuan, to use > pkgmaster.devuan.org in your sources.list (that one is the master > Devuan repo, and is on a machine to which only a reduced number of Using the usual deb.devuan.org, I've seen this once during my last ascii update: Get:1 http://packages.roundr.devuan.org/merged jessie InRelease [21.8 kB] Is that something that's expected? Alex. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [cor...@debian.org: [SECURITY] [DSA 4371-1] apt security update]
On Thu, 24 Jan 2019 00:58:27 +0100 KatolaZ wrote: > On Thu, Jan 24, 2019 at 12:28:35AM +0100, Florian Zieboll wrote: > > Am 23. Januar 2019 23:54:10 MEZ schrieb KatolaZ > > : > [...] > > > > Hallo Katolaz, > > > > thank you for the quick clarification, I got it and was just about > > to write a follow up mail. Do IUC, that without tls it is still > > possible to mount a MITM? > > Dear Florian, > > the presence of TLS won't help a bit to avoid the apt bug we are > referring to. First because the bug is in the way the "Location:" > header is parsed, which has nothing to do with the fact that you do or > do not redirect to an HTTPS URL. Second, because the vulnerability is > not about a MITM attack, rather a remote exploit. > > No MITM attack to the Debian/Devuan repo can be easily mounted, since > packages are checksummed, and all the checksums are signed with the > repository key (it's just a tiny bit more convoluted than that, but > still). So if any package is out of order (i.e., it presents a > checksum that offends the signed one), apt will immediately discover a > mismatch with the signed and verified material, will refuse to > continue, and will exit *loudly* (i.e., with an ERROR)OB. > > HTTPS won't add a single bit of security to a Debian/Devuan repo. It > will exclusively avoid an external actor to see which packages are > actually requested and downloaded by the client. > > My2Cents > > KatolaZ This contradicts the original bug report as I understand it: | The parent process will trust the hashes returned in the injected 201 | URI Done response, and compare them with the values from the signed | package manifest. Since the attacker controls the reported hashes, | they can use this vulnerability to convincingly forge any package. and | But apt’s signature validation process is totally fine with the | presence of other garbage in that file, as long as it doesn’t touch | the signatures. So I intercepted the Release.gpg response and | prepended it with my malicious deb (Source: https://justi.cz/security/2019/01/22/apt-rce.html) As the integrity of the release file should be verified by the not redirected 'apt update' command, I suggest that the following example, with the pkgmaster.devuan.org/merged/ repository, be "waterproof" in context of the thread's subject - or did I miss something? $ apt -o Acquire::http::AllowRedirect=false update $ wget https://pkgmaster.devuan.org/merged/pool/DEBIAN-SECURITY/updates/main/a/apt/apt_1.4.9_amd64.deb then compare the output of $ sha256sum | sed -e 's/\ .*$//' $ apt-cache show apt | sed -n 's/SHA256: //p'` if it matches, install with $ dpkg -i apt_1.4.9_amd64.deb and repeat for apt-utils, libapt-pkg5.0 and libapt-inst2.0 Florian pgpRj7hLJxC9F.pgp Description: OpenPGP digital signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [cor...@debian.org: [SECURITY] [DSA 4371-1] apt security update]
On Thu, Jan 24, 2019 at 12:28:35AM +0100, Florian Zieboll wrote: > Am 23. Januar 2019 23:54:10 MEZ schrieb KatolaZ : > > > No Florian, there is no "not-redirecting" repository in Devuan. Any > > Devuan repo will redirect to the corresponding Debian repo for all the > > packages that have not been forked by Debian, so you can't set > > AllowRedirect to false. > > > > The safest way is to manually download apt from the Debian pool, as > > explained in the email I forwarded. Or, if you trust Devuan, to use > > pkgmaster.devuan.org in your sources.list (that one is the master > > Devuan repo, and is on a machine to which only a reduced number of > > core developers have access), do the update, and then put back > > deb.devuan.org. > > > > HTH > > > > KatolaZ > > Hallo Katolaz, > > thank you for the quick clarification, I got it and was just about to write a > follow up mail. Do IUC, that without tls it is still possible to mount a MITM? > Dear Florian, the presence of TLS won't help a bit to avoid the apt bug we are referring to. First because the bug is in the way the "Location:" header is parsed, which has nothing to do with the fact that you do or do not redirect to an HTTPS URL. Second, because the vulnerability is not about a MITM attack, rather a remote exploit. No MITM attack to the Debian/Devuan repo can be easily mounted, since packages are checksummed, and all the checksums are signed with the repository key (it's just a tiny bit more convoluted than that, but still). So if any package is out of order (i.e., it presents a checksum that offends the signed one), apt will immediately discover a mismatch with the signed and verified material, will refuse to continue, and will exit *loudly* (i.e., with an ERROR)OB. HTTPS won't add a single bit of security to a Debian/Devuan repo. It will exclusively avoid an external actor to see which packages are actually requested and downloaded by the client. My2Cents KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [cor...@debian.org: [SECURITY] [DSA 4371-1] apt security update]
Am 23. Januar 2019 23:54:10 MEZ schrieb KatolaZ : > No Florian, there is no "not-redirecting" repository in Devuan. Any > Devuan repo will redirect to the corresponding Debian repo for all the > packages that have not been forked by Debian, so you can't set > AllowRedirect to false. > > The safest way is to manually download apt from the Debian pool, as > explained in the email I forwarded. Or, if you trust Devuan, to use > pkgmaster.devuan.org in your sources.list (that one is the master > Devuan repo, and is on a machine to which only a reduced number of > core developers have access), do the update, and then put back > deb.devuan.org. > > HTH > > KatolaZ Hallo Katolaz, thanks for the quick clarification, I was just about to type a follow up message. Do IIUC that without tls it is still possible to mount a MITM attack? Florian -- [message sent mobile] ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [cor...@debian.org: [SECURITY] [DSA 4371-1] apt security update]
Am 23. Januar 2019 23:54:10 MEZ schrieb KatolaZ : > No Florian, there is no "not-redirecting" repository in Devuan. Any > Devuan repo will redirect to the corresponding Debian repo for all the > packages that have not been forked by Debian, so you can't set > AllowRedirect to false. > > The safest way is to manually download apt from the Debian pool, as > explained in the email I forwarded. Or, if you trust Devuan, to use > pkgmaster.devuan.org in your sources.list (that one is the master > Devuan repo, and is on a machine to which only a reduced number of > core developers have access), do the update, and then put back > deb.devuan.org. > > HTH > > KatolaZ Hallo Katolaz, thank you for the quick clarification, I got it and was just about to write a follow up mail. Do IUC, that without tls it is still possible to mount a MITM? Florian -- [message sent mobile] ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [cor...@debian.org: [SECURITY] [DSA 4371-1] apt security update]
On Wed, Jan 23, 2019 at 11:42:15PM +0100, Florian Zieboll wrote: > Am 22. Januar 2019 16:24:40 MEZ schrieb KatolaZ : > > > use pkgmaster.devuan.org in your sources.list to do > > the upgrade > > > If I understand the bug report correctly, it is not sufficient to change the > repository to a not redirecting one, but it is also necessary to add the > "Acquire::http::AllowRedirect=false" option to the update AND upgrade > command. The latter failed for me (at my workplace as well as at home) with > 302 "Moved Temporarily" errors for pkgmaster.devuan.org/merged/, so the debs > had to be downloaded manually. > No Florian, there is no "not-redirecting" repository in Devuan. Any Devuan repo will redirect to the corresponding Debian repo for all the packages that have not been forked by Debian, so you can't set AllowRedirect to false. The safest way is to manually download apt from the Debian pool, as explained in the email I forwarded. Or, if you trust Devuan, to use pkgmaster.devuan.org in your sources.list (that one is the master Devuan repo, and is on a machine to which only a reduced number of core developers have access), do the update, and then put back deb.devuan.org. HTH KatolaZ -- [ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] signature.asc Description: PGP signature ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [cor...@debian.org: [SECURITY] [DSA 4371-1] apt security update]
Am 22. Januar 2019 16:24:40 MEZ schrieb KatolaZ : > use pkgmaster.devuan.org in your sources.list to do > the upgrade If I understand the bug report correctly, it is not sufficient to change the repository to a not redirecting one, but it is also necessary to add the "Acquire::http::AllowRedirect=false" option to the update AND upgrade command. The latter failed for me (at my workplace as well as at home) with 302 "Moved Temporarily" errors for pkgmaster.devuan.org/merged/, so the debs had to be downloaded manually. -- [message sent mobile] ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] [cor...@debian.org: [SECURITY] [DSA 4371-1] apt security update]
On Tue, Jan 22, 2019 at 04:24:40PM +0100, KatolaZ wrote: > The full DSA is available below, and the corresponding CVE is at: > > https://security-tracker.debian.org/tracker/CVE-2019-3462 > > The safest way would actually be to manually download the deb packages > of apt from the debian-security pool (more information available > below), or to use pkgmaster.devuan.org in your sources.list to do the > upgrade (pkgmaster.devuan.org is not a rough mirror...). > > The issue has not yet been fixed in buster/sid (beowulf/ceres), but I > guess a patched version will be published soon. The unstable fix for this is also availble now in version 1.8.0~alpha3.1. Mark ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] [cor...@debian.org: [SECURITY] [DSA 4371-1] apt security update]
Dear D1rs, a quite important security hole has been discovered (and patched) in apt. The hole allows remote code execution upon http redirects through malicious mirrors. Since Devuan repos are based on redirects, we urge everybody to upgrade the "apt" package. The full DSA is available below, and the corresponding CVE is at: https://security-tracker.debian.org/tracker/CVE-2019-3462 The safest way would actually be to manually download the deb packages of apt from the debian-security pool (more information available below), or to use pkgmaster.devuan.org in your sources.list to do the upgrade (pkgmaster.devuan.org is not a rough mirror...). The issue has not yet been fixed in buster/sid (beowulf/ceres), but I guess a patched version will be published soon. HND KatolaZ - Forwarded message from Yves-Alexis Perez - Date: Tue, 22 Jan 2019 13:17:26 +0100 From: Yves-Alexis Perez To: debian-security-annou...@lists.debian.org Subject: [SECURITY] [DSA 4371-1] apt security update -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4371-1 secur...@debian.org https://www.debian.org/security/Yves-Alexis Perez January 22, 2019 https://www.debian.org/security/faq - - Package: apt CVE ID : CVE-2019-3462 Max Justicz discovered a vulnerability in APT, the high level package manager. The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicous content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine. Since the vulnerability is present in the package manager itself, it is recommended to disable redirects in order to prevent exploitation during this upgrade only, using: apt -o Acquire::http::AllowRedirect=false update apt -o Acquire::http::AllowRedirect=false upgrade This is known to break some proxies when used against security.debian.org. If that happens, people can switch their security APT source to use: deb http://cdn-fastly.deb.debian.org/debian-security stable/updates main For the stable distribution (stretch), this problem has been fixed in version 1.4.9. We recommend that you upgrade your apt packages. Specific upgrade instructions: If upgrading using APT without redirect is not possible in your situation, you can manually download the files (using wget/curl) for your architecture using the URL provided below, verifying that the hashes match. Then you can install them using dpkg -i. Source archives: http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9.dsc Size/SHA256 checksum: 2549 986d98b00caac809341f65acb3d14321d645ce8e87e411c26c66bf149a10dfea http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9.tar.xz Size/SHA256 checksum: 2079572 d4d65e7c84da86f3e6dcc933bba46a08db429c9d933b667c864f5c0e880bac0d Architecture independent files: http://security.debian.org/pool/updates/main/a/apt/apt-doc_1.4.9_all.deb Size/SHA256 checksum: 365094 8880640591f64ab7b798f0421d18cba618512ca61ed7c44f6140423551d5 http://security.debian.org/pool/updates/main/a/apt/libapt-pkg-doc_1.4.9_all.deb Size/SHA256 checksum: 1004234 42f4c5945c4c471c3985db1cec7adcac516cc21a497a438f3ea0a2bfa7ffe036 amd64 architecture: http://security.debian.org/pool/updates/main/a/apt/apt-dbgsym_1.4.9_amd64.deb Size/SHA256 checksum: 4450936 1da507155c7b1ad140739c62fdacceaf5b5ee3765b1a00c3a3527d9d82a8d533 http://security.debian.org/pool/updates/main/a/apt/apt-transport-https-dbgsym_1.4.9_amd64.deb Size/SHA256 checksum: 292612 59f3e1c91664fe3b47048794560ebe9c41f1eeccbdd95f7715282f8cbe449060 http://security.debian.org/pool/updates/main/a/apt/apt-transport-https_1.4.9_amd64.deb Size/SHA256 checksum: 170820 c8c4366d1912ff8223615891397a78b44f313b0a2f15a970a82abe48460490cb http://security.debian.org/pool/updates/main/a/apt/apt-utils-dbgsym_1.4.9_amd64.deb Size/SHA256 checksum: 1289344 e3e157c291b05b2899a545331c7597ab36ca04e02cd9010562b9985b76af60db http://security.debian.org/pool/updates/main/a/apt/apt-utils_1.4.9_amd64.deb Size/SHA256 checksum: 409958 fb227d1c4615197a6263e7312851ac3601d946221cfd85f20427a15ab9658d15 http://security.debian.org/pool/updates/main/a/apt/apt_1.4.9_amd64.deb Size/SHA256 checksum: 1231594 dddf4ff686845b82c6c778a70f1f607d0bb9f8aa43f2fb7983db4ff1a55f5fae http://security.debian.org/pool/updates/main/a/apt/libapt-inst2.0-dbgsym_1.4.9_amd64.deb Size/SHA256 checksum: 221646
