[Piuparts-devel] Bug#545907: piuparts uses debootstrap in am insecure way

Christoph Anton Mitterer christoph.anton.mitterer at physik.uni-muenchen.de
Wed Sep 9 21:22:01 UTC 2009 

Package: piuparts
Version: 0.36
Severity: important

Hi.


debootstrap (unlike cdebootstrap IIRC) does not check signatures on  
any packages per default, but only when the "--keyring" option is used.

This has the potential security problem, that users are building (and  
thus executing code) that is not verified.

I would suggest that you at least add a:
DEBOOTSTRAPOPTS="--keyring=/set-this-file" to the default template.

But this still is,.. well not a good solution, so I'd suggest the following:
1) Add options to piuparts itself:
- A mandatory --keyring= option to specify the keyring to be used and  
that is passed on to [c]debootstrab
- A option like --do-not-verify-signatures (including some warnings  
that this is dangerous),.. and only if this is set,... --keyring may  
be omitted.

2) If nothing off the above is specified, piuparts should fail.


I'm not sure about the following:
- As piuparts installs stuff inside the already bootstrapped chroot,  
there may be additional possibilities for insecure packages. But I  
assume you use always apt there, right? And this should use keys,..  
well at least with deboostrap they're copied into the chroot  
(IIRC),... not sure about cdebootstrap.

- Is this already a problem with current build daemons or whatever?  
And should we inform those guys on this problem?


Regards,
Chris.

-- System Information:
Debian Release: squeeze/sid
   APT prefers unstable
   APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages piuparts depends on:
ii  apt                        0.7.23.1      Advanced front-end for dpkg
ii  debootstrap                1.0.15        Bootstrap a basic Debian system
ii  lsb-release                3.2-23        Linux Standard Base  
version report
ii  lsof                       4.81.dfsg.1-1 List open files
ii  python                     2.5.4-2       An interactive high-level  
object-o
ii  python-debian              0.1.14        Python modules to work  
with Debian

piuparts recommends no packages.

Versions of packages piuparts suggests:
ii  ghostscript               8.70~dfsg-2+b1 The GPL Ghostscript  
PostScript/PDF
pn  python-rpy                <none>         (no description available)

-- no debconf information

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the Piuparts-devel mailing list