Package: weboob
Version: 1.0-2
Severity: grave
Tags: security
Justification: security hole
Hi,
the keyring handling when adding a remote repository is… scary. Quoting
weboob/core/repositories.py:
| if not keyring.exists() or self.key_update > keyring.version:
| # This is a remote repository, download file
| try:
| keyring_data = browser.open(posixpath.join(self.url,
self.KEYRING)).content
| sig_data = browser.open(posixpath.join(self.url, self.KEYRING
+ '.sig')).content
| except BrowserHTTPError as e:
| raise RepositoryUnavailable(unicode(e))
| if keyring.exists():
| if not keyring.is_valid(keyring_data, sig_data):
| raise InvalidSignature('the keyring itself')
| print('The keyring was updated (and validated by the previous
one).')
| else:
| print('First time saving the keyring, blindly accepted.')
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
!!!
| keyring.save(keyring_data, self.key_update)
| print(keyring)
I would expect the Debian packages to contain some kind of trust chain
to bootstrap the keyring handling, and weboob to abort instead of
“blindly accepting” in other cases.
Mraw,
KiBi.
_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
