Debian Bug report logs - #659015
apt-build: disables apt's signature checking

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "D. Lasserre" <lasserre.d@googlemail.com>

To: submit@bugs.debian.org

Subject: Sign apt-build repository

Date: Tue, 07 Feb 2012 14:07:08 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: apt-build
Severity: wishlist

apt-build repository is unsigned, so Apt::Get::AllowUnauthenticated is
needed to install packages.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPMSHUAAoJENONJ1Ky5PTzty8IAJz/yApd01tiX8bueiTVbI8F
zrli3zhHHhTyw1reBoB/hmfG6owh4uVJ5DzvN3FYRLv3r9J/m6PliSTFHivKk9IR
Bpucm9ks1FRSZvAxbX39w3tX4BJ5Y5PqCxn0S710Mn2YhB62R7Mp+orHFeAglgYK
AcvVVNjcKr9RjR/JOGXai6G9GTk7l6AhLPgKjONFvE0dFW50eQArpP+cawx3ilQg
fM7aDlDp8fwGGTbJqHes8ocvnJHv3FXfXx0XBzmdhxtq9650/prk2DTzRjsAknW4
zvGlzDKBeskjtaPNrDC8UbpatxwQjDABpbtxE2IKWR8mNkmcIh812K4jsfcJqME=
=A/Dd
-----END PGP SIGNATURE-----

Message #10 received at 659015@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@debian.org>

To: 659015@bugs.debian.org

Subject: Bug#659015: apt-build disables apt's signature verification

Date: Mon, 30 Mar 2015 17:11:06 +0200

retitle 659015 apt-build: disables apt's signature checking
severity 659015 grave
tag 659015 + security
found 659015 0.12.42
thanks

apt-build unconditionally passes -o Apt::Get::AllowUnauthenticated=true
to apt-get, that is it disables *all* signature checks allowing MitM
attacks to serve malicious data. It looks like this was introduced in
0.12.42:

  * Allow non authenticated installation from apt-build repository.
    Closes: #316572, #369173

See also the recent thread on debian-security@[1], esp. [2] suggesting
to use "deb [trusted=yes] ..." in sources.list which would allow
dropping the (global) AllowUnauthenticated=true.

Ansgar

  [1] <https://lists.debian.org/debian-security/2015/03/msg00020.html>
  [2] <https://lists.debian.org/debian-security/2015/03/msg00026.html>

Message #23 received at 659015@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Ansgar Burchardt <ansgar@debian.org>, 659015@bugs.debian.org

Cc: Dominique Lasserre <lasserre.d@googlemail.com>

Subject: Re: Bug#659015: apt-build disables apt's signature verification

Date: Mon, 30 Mar 2015 23:35:21 +0200

Hi Ansgar,

Ansgar Burchardt wrote:
> apt-build unconditionally passes -o Apt::Get::AllowUnauthenticated=true
> to apt-get, that is it disables *all* signature checks allowing MitM
> attacks to serve malicious data.

Thanks for the heads up. I'll have a look into it and will publish my
proposed QA upload for review as git repo somewhere on Alioth, maybe
collab-maint.

Dominique: Please respond if you (as last uploader) are also working
on a fix for this so that we can avoid duplicated work.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Message #28 received at 659015@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Ansgar Burchardt <ansgar@debian.org>, 659015@bugs.debian.org

Cc: Dominique Lasserre <lasserre.d@googlemail.com>

Subject: Re: Bug#659015: apt-build disables apt's signature verification

Date: Tue, 31 Mar 2015 00:49:32 +0200

Hi Ansgar,

Axel Beckert wrote:
> Ansgar Burchardt wrote:
> > apt-build unconditionally passes -o Apt::Get::AllowUnauthenticated=true
> > to apt-get, that is it disables *all* signature checks allowing MitM
> > attacks to serve malicious data.
> 
> Thanks for the heads up. I'll have a look into it and will publish my
> proposed QA upload for review as git repo somewhere on Alioth, maybe
> collab-maint.

My proposed fix is at
https://anonscm.debian.org/cgit/users/abe/proposed-qa/apt-build.git/commit/?h=jessie&id=ca2653a8

I've though observed two possibly minor issues with it:

* An existing /etc/apt/sources.list.d/apt-build.list is not updated to
  add "[trusted=yes]".

* Upon purge and (re)installation, I had the "deb" line twice in
  /etc/apt/sources.list.d/apt-build.list and it's not clear to me why.

I've not yet done much testing, so any feedback is welcome. I'll
definitely do some more testing before uploading that fix.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Message #35 received at 659015@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@debian.org>

To: Axel Beckert <abe@debian.org>

Cc: 659015@bugs.debian.org, Dominique Lasserre <lasserre.d@googlemail.com>

Subject: Re: Bug#659015: apt-build disables apt's signature verification

Date: Tue, 31 Mar 2015 09:38:48 +0200

Axel Beckert <abe@debian.org> writes:
> I've though observed two possibly minor issues with it:
>
> * An existing /etc/apt/sources.list.d/apt-build.list is not updated to
>   add "[trusted=yes]".

Could probably be added in postinst (apt-build.list is not a conffile),
e.g. something like

  sed -i 's/^deb file:/deb [trusted=yes] file:/'

or something more strict to make sure it doesn't touch other
repositories.

> * Upon purge and (re)installation, I had the "deb" line twice in
>   /etc/apt/sources.list.d/apt-build.list and it's not clear to me why.

The filename is generated differently in postinst and postrm:

+---
|   eval $(apt-config shell sourceslist Dir::Etc::sourcelist/f)
|   eval $(apt-config shell sourcesparts Dir::Etc::sourceparts/d)
|   aptbuildsource="$sourcesparts"apt-build.list
+---[ postinst ]

+---
|   eval $(apt-config shell etcdir Dir::Etc)
|   eval $(apt-config shell sourceslist Dir::Etc::sourcelist)
|   eval $(apt-config shell sourcesparts Dir::Etc::sourceparts)
|   sourceslist=/"$etcdir""$sourceslist"
|   sourcesparts=/"$etcdir""$sourcesparts"
|   aptbuildsource="$sourcesparts"/apt-build.list
+---[ postrm ]

> I've not yet done much testing, so any feedback is welcome. I'll
> definitely do some more testing before uploading that fix.

I can't give to much feedback as I don't use apt-build myself. Just
noticed the thread on -security@.

Ansgar

Message #40 received at 659015@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Ansgar Burchardt <ansgar@debian.org>

Cc: 659015@bugs.debian.org, Dominique Lasserre <lasserre.d@googlemail.com>

Subject: Re: Bug#659015: apt-build disables apt's signature verification

Date: Wed, 1 Apr 2015 01:53:10 +0200

Control: tag -1 + pending

Hi,

Ansgar Burchardt wrote:
> Axel Beckert <abe@debian.org> writes:
> > I've though observed two possibly minor issues with it:
> >
> > * An existing /etc/apt/sources.list.d/apt-build.list is not updated to
> >   add "[trusted=yes]".
> 
> Could probably be added in postinst (apt-build.list is not a conffile),
> e.g. something like
> 
>   sed -i 's/^deb file:/deb [trusted=yes] file:/'
> 
> or something more strict to make sure it doesn't touch other
> repositories.

Thanks for that idea and note about not being a conffile.

> > * Upon purge and (re)installation, I had the "deb" line twice in
> >   /etc/apt/sources.list.d/apt-build.list and it's not clear to me why.
> 
> The filename is generated differently in postinst and postrm:

That wasn't the issue, but using grep without -F to search for the
whole line -- which now contains brackets and they have special
meanings in grep basic regular expressions. So adding -F to the
according grep call fixes that.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Message #47 received at 659015-close@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: 659015-close@bugs.debian.org

Subject: Bug#659015: fixed in apt-build 0.12.45

Date: Wed, 01 Apr 2015 01:18:38 +0000

Source: apt-build
Source-Version: 0.12.45

We believe that the bug you reported is fixed in the latest version of
apt-build, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659015@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <abe@debian.org> (supplier of updated apt-build package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 01 Apr 2015 02:42:19 +0200
Source: apt-build
Binary: apt-build
Architecture: source amd64
Version: 0.12.45
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Axel Beckert <abe@debian.org>
Description:
 apt-build  - frontend to apt to build, optimize and install packages
Closes: 659015
Changes:
 apt-build (0.12.45) unstable; urgency=medium
 .
   * QA upload
   * Use per-repo "deb [trusted=yes] ..." instead of global "-o
     Apt::Get::AllowUnauthenticated=true". (Closes: #659015)
     + Bump versioned apt dependency to 0.8.16~exp3 for trusted=yes
     + Automatically add [trusted=yes] to existing generated file
       /etc/apt/sources.list.d/apt-build.list in postinst.
     + Use "grep -F" instead of "grep" to search for the whole "deb" line
       in postinst to avoid the brackets around trusted=yes being parsed as
       character class.
   * Update Vcs-* URLs to current canonical forms and use collab-maint
     repository instead of the apt-build project one's while being under QA
     maintenance to allow write access to all DDs.
Checksums-Sha1:
 ae9e387f019f95f426c94350668a7728145747c9 1551 apt-build_0.12.45.dsc
 f07d38bdbdbd04894bf133879704bda71260b6fd 44816 apt-build_0.12.45.tar.xz
 ebaf63efbe6203eff742a3e20bbadb936ae5a724 42102 apt-build_0.12.45_amd64.deb
Checksums-Sha256:
 f3bc5badea15967b1d0796cfd988f5946504d9f20f5a64f44603593fd5c512e8 1551 apt-build_0.12.45.dsc
 13cfff75f47fcf8321395b2bd4108120f6f058148c36910ac367ee3dcba6fe2f 44816 apt-build_0.12.45.tar.xz
 58fa5860d00f1737427c6eafaccb2d932c2c8a287a79aea48fad02b0d2678a66 42102 apt-build_0.12.45_amd64.deb
Files:
 71a85d498d4a781b7ef8e52ed4472d38 1551 devel optional apt-build_0.12.45.dsc
 a0274158a6f2a9ec8b0c684eb406084d 44816 devel optional apt-build_0.12.45.tar.xz
 0cf887b5aeab6c5e550f489312ae6a04 42102 devel optional apt-build_0.12.45_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVG0KLAAoJEGvmY8daNcl1UScP+gKlGcBFvkD877LguLpDIVla
WoSgGA7P0nLwzHU0bc1R0H/Y8OOlk8t4NlqBNSGNz67GShgNQcckfsRIqZf4dU1Y
muAH/qtIO2My0x6DnrtgsS7r6Dole2dMzG7+dM6v1CZxpkBRboDF72QvlYRsz19D
uBMRHiNJjDR36KTt7JiY+Yzh9k21aJJOz4dDXzXbKW9bxDpYtj6lx41eqafdecaq
LmP+mbossJPdkF5Si7nckqPDWjnR24RiF8lA7Kvtt2yckIy71nO91/6snUbQTNLr
kOtZfQo36aQ67hsLmT6563weRghvSHHTtyp9G7abkduZZk+ISpQhIlXgMzZXEkVP
hLzB/SmZQsvl7cKoswOBWKOvp4NwBzPAtyZzv1s81kizZ4f4Sgqq4BL4lR8Kld8y
Aa4xIZH62WaLRh+xHClA95tJHuTHUGnsS7nqVzaVkEcPKMjrJV5SVCzu3cMwVewy
mY/Hfkqs9662GictUz7x42EXqeteTJQPDp0mGIIo8e2dL9YOsae0OMVFDR9aI2NN
a1OYSBEhWP2Q+ODL7fsHr0EqB0IOlolsSwrpqCPYPNyvYemwMRHCb+JnTu7M1MAK
YGOfJjiSp/TZ24/EHz4qGKvzgOo8waoeHLUy/lL3bCLD4Ma04FoTu2oS/KvES+GZ
/X9OVBlvduCfkynfXXVO
=O9Bf
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.