[Piuparts-devel] Bug#545907: piuparts uses debootstrap in am insecure way
Christoph Anton Mitterer
christoph.anton.mitterer at physik.uni-muenchen.de
Wed Sep 9 21:22:01 UTC 2009
Package: piuparts
Version: 0.36
Severity: important
Hi.
debootstrap (unlike cdebootstrap IIRC) does not check signatures on
any packages per default, but only when the "--keyring" option is used.
This has the potential security problem, that users are building (and
thus executing code) that is not verified.
I would suggest that you at least add a:
DEBOOTSTRAPOPTS="--keyring=/set-this-file" to the default template.
But this still is,.. well not a good solution, so I'd suggest the following:
1) Add options to piuparts itself:
- A mandatory --keyring= option to specify the keyring to be used and
that is passed on to [c]debootstrab
- A option like --do-not-verify-signatures (including some warnings
that this is dangerous),.. and only if this is set,... --keyring may
be omitted.
2) If nothing off the above is specified, piuparts should fail.
I'm not sure about the following:
- As piuparts installs stuff inside the already bootstrapped chroot,
there may be additional possibilities for insecure packages. But I
assume you use always apt there, right? And this should use keys,..
well at least with deboostrap they're copied into the chroot
(IIRC),... not sure about cdebootstrap.
- Is this already a problem with current build daemons or whatever?
And should we inform those guys on this problem?
Regards,
Chris.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages piuparts depends on:
ii apt 0.7.23.1 Advanced front-end for dpkg
ii debootstrap 1.0.15 Bootstrap a basic Debian system
ii lsb-release 3.2-23 Linux Standard Base
version report
ii lsof 4.81.dfsg.1-1 List open files
ii python 2.5.4-2 An interactive high-level
object-o
ii python-debian 0.1.14 Python modules to work
with Debian
piuparts recommends no packages.
Versions of packages piuparts suggests:
ii ghostscript 8.70~dfsg-2+b1 The GPL Ghostscript
PostScript/PDF
pn python-rpy <none> (no description available)
-- no debconf information
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the Piuparts-devel
mailing list