Debian Bug report logs - #440535
reprepro: Not properly checking signatures of repositories updating from

version graph

Package: reprepro; Maintainer for reprepro is Bernhard R. Link <brlink@debian.org>; Source for reprepro is src:reprepro.

Reported by: "Bernhard R. Link" <brlink@debian.org>

Date: Sun, 2 Sep 2007 14:12:02 UTC

Severity: serious

Tags: etch, patch, security

Found in version reprepro/1.3.0-1

Fixed in versions reprepro/2.2.4-1, 1.3.1+1-1

Done: "Bernhard R. Link" <brlink@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#440535; Package reprepro. Full text and rfc822 format available.

Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
New Bug report received and forwarded. Copy sent to brlink@debian.org (Bernhard R. Link). Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Bernhard R. Link" <brlink@debian.org>
To: submit@bugs.debian.org
Subject: reprepro: Not properly checking signatures of repositories updating from
Date: Sun, 2 Sep 2007 16:02:32 +0200
[Message part 1 (text/plain, inline)]
Package: reprepro
Version: 1.3.0-1
Severity: serious
Tags: etch security patch

This bug is just to document that the bug closed in 2.2.4 is still open in etch:

Version 1.3.0 included the change from libgpgme6 to libgpgme11. But a
part of this patch got lost, and thus reprepro only checks for
signatures with requested keys to be valid when updating a repository
from a remote one with the "update" command and does not complain if
there is no signature with a requested key at all. (Thus accepting
anything signed with only a unknown key for example).

Version prior to 1.3.0 and since 2.2.4 are not affected. Only updating
is affected. Checking keys when including packages by hand or via an
incoming dir is not affected.

I've sent a mail with the attached files to team@security.debian.org
at August 20th, but got no reply since then. Thus attaching them here
again.

Hochachtungsvoll,
	Bernhard R. Link
[interdiff (text/plain, attachment)]
[reprepro_1.3.1-1etch1.dsc (text/plain, attachment)]
[reprepro_1.3.1-1etch1.diff.gz (application/octet-stream, attachment)]
[reprepro_1.3.1-1etch1_i386.deb (application/x-debian-package, attachment)]
[reprepro_1.3.1-1etch1_i386.changes (text/plain, attachment)]

Bug marked as fixed in version 2.2.4-1. Request was from "Bernhard R. Link" <brlink@debian.org> to control@bugs.debian.org. (Sun, 02 Sep 2007 16:09:01 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#440535; Package reprepro. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). Full text and rfc822 format available.

Message #12 received at 440535@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 440535@bugs.debian.org
Subject: Re: reprepro: Not properly checking signatures of repositories updating from
Date: Wed, 12 Sep 2007 13:56:33 +0200
[Message part 1 (text/plain, inline)]
Hi,

> I've sent a mail with the attached files to team@security.debian.org
> at August 20th, but got no reply since then. Thus attaching them here
> again.

Thank you for your work, I've reviewed it and I'm wondering about why you made 
this change specifically:

-		if( kl < fl && strncmp(fingerprint+fl-kl,keypart,kl) == 0 )
+		if( kl < fl && strncasecmp(fingerprint+fl-kl,keypart,kl) == 0 )

Can you clarify?

Thanks!

Thijs
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, brlink@debian.org (Bernhard R. Link):
Bug#440535; Package reprepro. Full text and rfc822 format available.

Acknowledgement sent to "Bernhard R. Link" <brlink@debian.org>:
Extra info received and forwarded to list. Copy sent to brlink@debian.org (Bernhard R. Link). Full text and rfc822 format available.

Message #17 received at 440535@bugs.debian.org (full text, mbox):

From: "Bernhard R. Link" <brlink@debian.org>
To: Thijs Kinkhorst <thijs@debian.org>, 440535@bugs.debian.org
Subject: Re: Bug#440535: reprepro: Not properly checking signatures of repositories updating from
Date: Wed, 12 Sep 2007 18:20:19 +0200
* Thijs Kinkhorst <thijs@debian.org> [070912 14:05]:
> Hi,
> 
> > I've sent a mail with the attached files to team@security.debian.org
> > at August 20th, but got no reply since then. Thus attaching them here
> > again.
> 
> Thank you for your work, I've reviewed it and I'm wondering about why you made 
> this change specifically:
> 
> -		if( kl < fl && strncmp(fingerprint+fl-kl,keypart,kl) == 0 )
> +		if( kl < fl && strncasecmp(fingerprint+fl-kl,keypart,kl) == 0 )
> 
> Can you clarify?

libgpgme always returns the fingerprints in upper case, and if cases
mismatches reprepro will just print that none of the requested keys were
found. (because no key with lower case fingerprint was found, as there
can't be some with libgpgme).
As humans often tend to use lower case, this could lead to some confusion when
upgrading (as it looks like it worked before and then suddenly claims
there is no known key while there is, just with the wrong key).

Hochachtungsvoll,
	Bernhard R. Link




Tags added: pending Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. (Sun, 16 Sep 2007 16:24:03 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 1.3.1+1-1, send any further explanations to "Bernhard R. Link" <brlink@debian.org> Request was from "Bernhard R. Link" <brlink@debian.org> to control@bugs.debian.org. (Wed, 24 Oct 2007 09:21:02 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 27 Dec 2007 07:28:46 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 14:43:34 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.