Package: pbuilder
Version: 0.189
Severity: important
Tags: security

Hi.


debootstrap (unlike cdebootstrap IIRC) does not check signatures on any packages per default, but only when the "--keyring" option is used.

This has the potential security problem, that users are building (and thus executing code) that is not verified.

I would suggest that you at least add a:
DEBOOTSTRAPOPTS="--keyring=/set-this-file" to the default template.

But this still is,.. well not a good solution, so I'd suggest the following:
1) Add options to pbuilder itself:
- A mandatory --keyring= option to specify the keyring to be used and that is passed on to [c]debootstrab - A option like --do-not-verify-signatures (including some warnings that this is dangerous),.. and only if this is set,... --keyring may be omitted.

2) If nothing off the above is specified, pbuilder should fail.


I'm not sure about the following:
- As pbuilder installs stuff inside the already bootstrapped chroot, there may be additional possibilities for insecure packages. But I assume you use always apt there, right? And this should use keys,.. well at least with deboostrap they're copied into the chroot (IIRC),... not sure about cdebootstrap.

- Is this already a problem with current build daemons or whatever? And should we inform those guys on this problem?


Regards,
Chris.


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages pbuilder depends on:
ii  coreutils                     7.5-4      GNU core utilities
ii debconf [debconf-2.0] 1.5.27 Debian configuration management sy ii debianutils 3.2.1 Miscellaneous utilities specific t
ii  debootstrap                   1.0.15     Bootstrap a basic Debian system
ii  wget                          1.11.4-4   retrieves files from the web

Versions of packages pbuilder recommends:
ii devscripts 2.10.54 scripts to make the life of a Debi
ii  fakeroot                      1.13       Gives a fake root environment
ii sudo 1.7.2p1-1 Provide limited super user privile

Versions of packages pbuilder suggests:
pn  cowdancer                     <none>     (no description available)
pn  gdebi                         <none>     (no description available)
pn  pbuilder-uml                  <none>     (no description available)

-- debconf information:
* pbuilder/mirrorsite: ftp://ftp.de.debian.org/debian/
  pbuilder/nomirror:
* pbuilder/rewrite: false

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to