Debian Bug report logs - #560038
please make validating signatures the default, if /usr/share/keyrings/debian-archive-keyring.gpg is available

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>

To: Debian BTS <submit@bugs.debian.org>

Subject: piuparts uses debootstrap in am insecure way

Date: Wed, 09 Sep 2009 23:22:01 +0200

Package: piuparts
Version: 0.36
Severity: important

Hi.


debootstrap (unlike cdebootstrap IIRC) does not check signatures on  
any packages per default, but only when the "--keyring" option is used.

This has the potential security problem, that users are building (and  
thus executing code) that is not verified.

I would suggest that you at least add a:
DEBOOTSTRAPOPTS="--keyring=/set-this-file" to the default template.

But this still is,.. well not a good solution, so I'd suggest the following:
1) Add options to piuparts itself:
- A mandatory --keyring= option to specify the keyring to be used and  
that is passed on to [c]debootstrab
- A option like --do-not-verify-signatures (including some warnings  
that this is dangerous),.. and only if this is set,... --keyring may  
be omitted.

2) If nothing off the above is specified, piuparts should fail.


I'm not sure about the following:
- As piuparts installs stuff inside the already bootstrapped chroot,  
there may be additional possibilities for insecure packages. But I  
assume you use always apt there, right? And this should use keys,..  
well at least with deboostrap they're copied into the chroot  
(IIRC),... not sure about cdebootstrap.

- Is this already a problem with current build daemons or whatever?  
And should we inform those guys on this problem?


Regards,
Chris.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages piuparts depends on:
ii  apt                        0.7.23.1      Advanced front-end for dpkg
ii  debootstrap                1.0.15        Bootstrap a basic Debian system
ii  lsb-release                3.2-23        Linux Standard Base  
version report
ii  lsof                       4.81.dfsg.1-1 List open files
ii  python                     2.5.4-2       An interactive high-level  
object-o
ii  python-debian              0.1.14        Python modules to work  
with Debian

piuparts recommends no packages.

Versions of packages piuparts suggests:
ii  ghostscript               8.70~dfsg-2+b1 The GPL Ghostscript  
PostScript/PDF
pn  python-rpy                <none>         (no description available)

-- no debconf information

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Message #10 received at 545907@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>, 545907@bugs.debian.org, control@bugs.debian.org

Subject: Re: [Piuparts-devel] Bug#545907: piuparts uses debootstrap in am insecure way

Date: Thu, 10 Sep 2009 10:39:22 +0200

[Message part 1 (text/plain, inline)]

tags 545907 +security
thanks

Hi Christoph,

thanks for your bug report, even though I was aware of the issue, it helps to 
file bugs to make people fix things they are aware of ;-)

On Mittwoch, 9. September 2009, Christoph Anton Mitterer wrote:
> debootstrap (unlike cdebootstrap IIRC) does not check signatures on
> any packages per default, but only when the "--keyring" option is used.
>
> This has the potential security problem, that users are building (and
> thus executing code) that is not verified.

right. This is a problem for users testing their own packages. For a setup 
like piuparts.debian.org this is no real problem though, as such a setup 
needs to deal with potential hostile code anyway.

> 2) If nothing off the above is specified, piuparts should fail.

I guess I will make it use secure apt per default and give an option not to 
use authentication.

> I'm not sure about the following:
> - As piuparts installs stuff inside the already bootstrapped chroot,
> there may be additional possibilities for insecure packages. But I
> assume you use always apt there, right? And this should use keys,..

yes

> well at least with deboostrap they're copied into the chroot
> (IIRC),... not sure about cdebootstrap.

piuparts uses debootstrap

> - Is this already a problem with current build daemons or whatever?
> And should we inform those guys on this problem?

AFAIK buildds don't use secure apt neither. But I'm not sure this is still the 
case, maybe this has been fixed. 


regards,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 545907@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>

To: Holger Levsen <holger@layer-acht.org>

Cc: 545907@bugs.debian.org

Subject: Re: [Piuparts-devel] Bug#545907: piuparts uses debootstrap in am insecure way

Date: Thu, 10 Sep 2009 13:03:36 +0200

[Message part 1 (text/plain, inline)]

Hi Holger.

On Thu, 2009-09-10 at 10:39 +0200, Holger Levsen wrote:
> thanks for your bug report, even though I was aware of the issue, it helps to 
> file bugs to make people fix things they are aware of ;-)
:)


> right. This is a problem for users testing their own packages. For a setup 
> like piuparts.debian.org this is no real problem though, as such a setup 
> needs to deal with potential hostile code anyway.
Yes,.. but at least one can reduce the potential sources for attacks =)


> I guess I will make it use secure apt per default and give an option not to 
> use authentication.
That's probably the best idea. And the manpage should contain a big
warning note on security issues for that option.

> > well at least with deboostrap they're copied into the chroot
> > (IIRC),... not sure about cdebootstrap.
> piuparts uses debootstrap
Oh yes ;) ... Actually I've written this bug at first for pbuilder
(which supports both),.. and nearly copied it for piuparts.
Do you know of other packages that could suffer from this problem, too?


> > - Is this already a problem with current build daemons or whatever?
> > And should we inform those guys on this problem?
> 
> AFAIK buildds don't use secure apt neither. But I'm not sure this is still the 
> case, maybe this has been fixed. 
Whom could I contact on this? Or do you mean the package?


Regads,
Chris.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Message #34 received at 560038@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 560038@bugs.debian.org

Subject: ping

Date: Sat, 5 Mar 2011 10:00:11 +0100

[Message part 1 (text/plain, inline)]

Hi,

now that we are at the beginning of a new release cycle, it would probably a 
good moment to fix 560038: "please make validating signatures the default, 
if /usr/share/keyrings/debian-archive-keyring.gpg is available".

IOW: debootstrap doesn't check signatures on packages by default...


cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 560038-close@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: 560038-close@bugs.debian.org

Subject: Bug#560038: fixed in debootstrap 1.0.30

Date: Tue, 26 Apr 2011 21:17:21 +0000

Source: debootstrap
Source-Version: 1.0.30

We believe that the bug you reported is fixed in the latest version of
debootstrap, which is due to be installed in the Debian FTP archive:

debootstrap-udeb_1.0.30_all.udeb
  to main/d/debootstrap/debootstrap-udeb_1.0.30_all.udeb
debootstrap_1.0.30.dsc
  to main/d/debootstrap/debootstrap_1.0.30.dsc
debootstrap_1.0.30.tar.gz
  to main/d/debootstrap/debootstrap_1.0.30.tar.gz
debootstrap_1.0.30_all.deb
  to main/d/debootstrap/debootstrap_1.0.30_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 560038@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joey Hess <joeyh@debian.org> (supplier of updated debootstrap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 26 Apr 2011 17:10:00 -0400
Source: debootstrap
Binary: debootstrap debootstrap-udeb
Architecture: source all
Version: 1.0.30
Distribution: unstable
Urgency: low
Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
Changed-By: Joey Hess <joeyh@debian.org>
Description: 
 debootstrap - Bootstrap a basic Debian system
 debootstrap-udeb - Bootstrap the Debian system (udeb)
Closes: 560038 621657 624229
Changes: 
 debootstrap (1.0.30) unstable; urgency=low
 .
   [ Joey Hess ]
   * Recommend debian-archive-keyring, and if it is installed,
     default to checking gpg signatures of the Release file against it
     when bootstrapping sid, squeeze, wheezy, etch, and lenny.
     Closes: #560038
   * Add --no-check-gpg option that can be used to disable release file
     verification. Closes: #624229
   * Needs base-installer 1.117.
   * Add a warning message if the keyring file is not available, and
     --no-check-gpg is not specified.
   * Clear all global variables used for options, so that unclean
     environment doesn't break debootstrap. Closes: #621657
   * Removed the --boot-floppies switch and mode. Assuming this has
     not been used in 10 years.
 .
   [ Colin Watson ]
   * Resolve dependencies from all requested components (LP: #740167).
Checksums-Sha1: 
 420f931b7622110ab22e0ab01e1a7e485944306f 1684 debootstrap_1.0.30.dsc
 7dad785b9a1078b78fabc9607e978eb66c2f5dbc 54817 debootstrap_1.0.30.tar.gz
 b4f0ab822cffc5ce19f97285e8eaa041b9a27788 57146 debootstrap_1.0.30_all.deb
 3263df5786d9933cd0fce02237bc7938e6070c69 18608 debootstrap-udeb_1.0.30_all.udeb
Checksums-Sha256: 
 cfca953ff60fc3c853cea29370606d89869370e82a7cf9de1a71a7c0c59ae04a 1684 debootstrap_1.0.30.dsc
 c475a42ec3387b06623da132aa93d7bf0d8508ace08c2111287553e3a06f222b 54817 debootstrap_1.0.30.tar.gz
 dd3d0be5ec277b643e6530fcc537361536e6b662419db979604b3879f229e2cc 57146 debootstrap_1.0.30_all.deb
 fa7027487c122a97c0331922107691269e7dccf348f8de4f4501489958f172fd 18608 debootstrap-udeb_1.0.30_all.udeb
Files: 
 81e2062dade9633b55b5df27c8a30031 1684 admin extra debootstrap_1.0.30.dsc
 6791326a63a0a31b92e0259409f8c95a 54817 admin extra debootstrap_1.0.30.tar.gz
 4f985216ad30f1c25f5afb038c5f8daa 57146 admin extra debootstrap_1.0.30_all.deb
 d87b35670aa735ae5b7d3f8bf1b76245 18608 debian-installer extra debootstrap-udeb_1.0.30_all.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIVAwUBTbc09ckQ2SIlEuPHAQiyzg/+L7s4Itlzr2Y9RdqrORHvUULoW6w7KI8J
j9L6+mvPz5cws/z9KFWzDBZZvXSoL2bEi4WbphtDhfp0lgEKa7q+aI+TJxkANW+V
QnZa8thCpEKB7BoOEDM97Q13FHk3gL51puH7Yc+mGkxFp52DGYeWPESGWYIsU+Ax
gmjMmVclhsPIDdmT2RYH4m6xXUNTDlbfx4fs630C1QkZ0INN+gvTx7UJDyW1/NdJ
f5w8m83vXnXZjoHS43n1afz1j7xFuyqXeFM+2cW9Aekofll6hfGWsul2L3qabLJ2
Vp1y4lPApY+T5WSAWizb8ma5DavzVABFcfYXgu2tCnJL7QhxgKywFV2zUUOdc48q
TT15r39xyXrlVrLyLGtCDvPTw5iAdjJvil0g3Exnbde/PBI4MvTPHaXSdRxV27cG
F3BR/eyAfpdYYAeP7vYpefEw/6GxrWcS7uWOx8oPSN1wA7bsEzJW5UVrQyGSbGhx
wWQsCGSfZCxFBmXri2y65BaPOQlfCOu+QSN9C0utSBZQG/jsYpfb1/ykI0zLo+9/
wWNY5TrRtcMBq1YUW63vpWAvF4jeGn22b0tE3VC0vS/6WAc/eAahIK69WBl2OF8I
0YfD18qFN4TzWc9U4+TvssFTi9bqIiE84bImTETvyB6MNK0BM9UbFNnOM/nTufBb
qRxNgIMknak=
=/crh
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.