[Bug 1358272] Re: [MIR] debsig-verify
With the phasing out of click packages this is no longer needed and the bug can be closed. ** Changed in: debsig-verify (Ubuntu) Status: Incomplete => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1358272 Title: [MIR] debsig-verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1358272] Re: [MIR] debsig-verify
Seth Arnold wrote: debsig-verify uses some library routines from dpkg; while I inspected these calls and didn't see a problem, I must point out that dpkg was only ever designed to handle packages that already passed the usual hash-and-signatures check provided by apt and may not be suitable for use on untrusted input. debsig-verify is taking a risk that the dpkg implementations of these functions will not become a danger in the future, even assuming they are fine today. This seems like a slightly odd statement given that dpkg was designed long before apt, never mind secure apt, even existed. Also of course dpkg is often used to handle untrusted input in other cases, such as inspecting files with dpkg -I and dpkg -c, and click uses dpkg (albeit sandboxed somewhat using LD_PRELOAD) to install packages. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1358272 Title: [MIR] debsig-verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1358272] Re: [MIR] debsig-verify
@Seth: thanks for comment #4 about the 32bit issue with off_t - is there any downside of simply using -D_FILE_OFFSET_BITS=64 to morph off_t into a 64bit type? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1358272 Title: [MIR] debsig-verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1358272] Re: [MIR] debsig-verify
Colin, you're right -- and I thought about that before hitting 'Post Comment' -- but the world was different then, we still used telnet, rsh, and ftp. Installing a package in those days made an explicit decision to trust that package with root shell privileges and allowed it to install setuid or setgid executables into the filesystem. There would have been no need to protect against slightly crafty .deb packages because the payload itself was already all-powerful. We're changing this world to one where the package might resort to crafty packaging to work around restrictions, and we're asking an old and reliable codebase to do something new. It comes with risks. -- end-of-tangent :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1358272 Title: [MIR] debsig-verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1358272] Re: [MIR] debsig-verify
Michael, I think your proposed -D_FILE_OFFSET_BITS=64 is sufficient and probably more reliable than trying to prevent ar_size based int32 overflows or just stopping an infinite loop through other constraints. Probably someone will want to package a data file larger than two gigabytes anyway. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1358272 Title: [MIR] debsig-verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1358272] Re: [MIR] debsig-verify
I reviewed debsig-verify version 0.10 as checked into utopic. This shouldn't be considered a full security audit, but rather a quick gauge of maintainability. debsig-verify is awkward. Extensive use is made of global state and much of the program logic depends upon side-effects to this global state, sometimes in function calls that happened thirty lines previously. It would be extremely difficult to write function-level unit tests for this program. debsig-verify uses some library routines from dpkg; while I inspected these calls and didn't see a problem, I must point out that dpkg was only ever designed to handle packages that already passed the usual hash-and-signatures check provided by apt and may not be suitable for use on untrusted input. debsig-verify is taking a risk that the dpkg implementations of these functions will not become a danger in the future, even assuming they are fine today. The following must be corrected before we can rely upon debsig-verify: - Makefile tries to set -Wall, but it isn't used, obvious warnings are missing - getSigKeyID() no error checks on fork() - getSigKeyID() no error checks on t = fread(buf, 1, sizeof(buf), deb_fs); - getSigKeyID() can be tricked into an infinite loop, no feof checks - gpgVerify() no error checks on fork() Because the signatures are embedded in the .deb files, necessarily only certain sections are measured: debian-binary control.tar control.tar.gz control.tar.xz data.tar data.tar.gz data.tar.xz data.tar.bz2 data.tar.lzma - Possibly it will copy different objects with these names than 'ar' or 'dpkg' will use when installing the package. - Installing a package will require at least twice the package size in free space before starting the process because a copy is made Test cases should be prepared with member filenames including trailing spaces, leading spaces, trailing / chars, etc. (I have not inspected how 'ar' or 'dpkg' unpack .deb files; if they similarly rewind the file before unpacking named sections they will likely extract the same sections that debsig-verify extracts. If they don't rewind for each section they may unpack different sections.) A polyglot test package with multiple control tarballs or data tarballs should be tested as well to ensure the measured sections are the ones chosen for installing. I believe these may not be expected behaviours but they wouldn't be under control of potentially malicious entities: - verifyGroupRules() looks like it requires negative grp-min_opt in order for only mandatory match groups to suffice - checkSelRules() looks like it requires negative grp-min_opt in order for only mandatory match groups to suffice The following surprising facts are consequences of the broken CFLAGS handling in the Makefile: - getSigKeyID() 'deb' parameter is unused - checkSelRules() 'deb' parameter is unused - checkSelRules() 'deb' parameter shadows global 'deb' declaration - verifyGroupRules() 'deb' parameter shadows global 'deb' declaration It would be nice to fix these before shipment just so the presence of these parameters won't be surprising in maintenance but they are unlikely to be a harm at the moment. And potentially surprising, 'gpg' looks like it may be executed often: - verifyGroupRules() executes gpg via getKeyID() and getSigKeyID() potentially many times before performing the ultimate verification debsig-verify is a significant complexity jump compared to using gpg to verify a detached signature; debsig-verify's extra complexity is largely due to three features: - embedding the signature in the .deb - an xml-based policy environment that delivers keys and - describes allowed and forbidden package types for those specific keys. If we don't care about these three specific features we should use something simpler. If one of these features will be useful, then we can make debsig-verify work but I don't think it is ready for handling malicious packages yet. Thanks ** Changed in: debsig-verify (Ubuntu) Assignee: Seth Arnold (seth-arnold) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1358272 Title: [MIR] debsig-verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1358272] Re: [MIR] debsig-verify
Thanks Seth for your excellent review. I addressed most of your points in https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=758615 that contains patches to improve the error handling and to get rid of the global state. The tests in http://bazaar.launchpad.net/~click- hackers/click/devel/view/head:/tests/integration/test_signatures.py contain e.g. the polyglot test and some more. Tests with spaces in ar member are missing currently but I can add them to be on the safe side. ** Bug watch added: Debian Bug tracker #758615 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=758615 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1358272 Title: [MIR] debsig-verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1358272] Re: [MIR] debsig-verify
findMember() on 32-bit platforms can also suffer an infinite loop and probably worse outcomes. The off_t is a 32-bit value on 32-bit platforms with a maximum value of 2147483647; the maximum value stored in the ar_size member can be 99. This allows ample opportunities for mischief, the most obvious being an infinite loop is possible because the fseek() calls are not monotonically moving forward. Another possibility is that a package will verify on a 64-bit host but not 32-bit, or vice-versa, or may select different payloads on different systems. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1358272 Title: [MIR] debsig-verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1358272] Re: [MIR] debsig-verify
The CFLAGS from the Makefile are overriden during the build, see: https://launchpadlibrarian.net/181033234/buildlog_ubuntu-utopic-amd64.debsig-verify_0.10_UPLOADING.txt.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1358272 Title: [MIR] debsig-verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1358272] Re: [MIR] debsig-verify
** Description changed: In order to check the signature of click package we want to use the debsig-verify tool. Because clicks and debs are similar we can use debsig-verify with a appropriate policy to do the verifications. This MIR covers the tool itself, the policy will be put into a seperate package (much like the ubuntu-keyring package). - Availability: + Availability: - available in ubuntu universe and debian unstable Security: - - security is checked + - I did a code audit and the code looks good to me + - I also wrote a bunch of integration tests in the lp:~mvo/click/debsigs-verify that tests various ways of attacking the system and ensures its robust + - AFAIK there was no review from the security team yet Quality assurance: - utility that gets the configuration via a click-store-policy package so no configuration required in the package itself - no debconf question - - no long term open bugs (just 1 open bug in ubuntu, no open bugs in debian) + - no long term open bugs (just 1 open bug in ubuntu, no open bugs in debian) - the package is is well maintainedsince some months, it used to be orphaned but Guillem Jover picked it up and it already got two uploads since June - its a native package so no debian/watch files UI standards: (generally only for user-facing applications) - no UI, just CLI Dependencies: - all binary/source dependencies are in main - follows FHS/debian policy - Maintenance: + Maintenance: - there is a active maintainer Background information: - the purpose of the package should be well explained in the description Security checks - no vulnerabilities yet - no suid, /sbin, ports, daemons or plugins -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1358272 Title: [MIR] debsig-verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1358272] Re: [MIR] debsig-verify
Needs a team bug subscriber, but besides that looks good. The many years without a maintainer are also troubling, but at least there's one now. Assigning to security team for a quick look to verify that the code can be relied on. ** Changed in: debsig-verify (Ubuntu) Status: New = Incomplete ** Changed in: debsig-verify (Ubuntu) Assignee: (unassigned) = Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1358272 Title: [MIR] debsig-verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1358272] Re: [MIR] debsig-verify
** Changed in: debsig-verify (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) = Seth Arnold (seth-arnold) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1358272 Title: [MIR] debsig-verify To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debsig-verify/+bug/1358272/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs