Hi, Junichi Uekawa <dan...@netfort.gr.jp> writes: > severity 579028 wishlist
I don't agree with this as this bug allows arbitrary code execution as root (see below). > Mehdi Dogguy wrote: >> Can you please explain how this will break "all existing configurations"? >> Does it mean that all people are using untrusted repositories when using >> pbuilder? Yes, it does. If you intercept and manipulate both the request for archive metadata (Release, Packages) and later a request for a *.deb you should be able to execute arbitrary code on the victim's host (with root privileges). Of course you have to know which package the victim will install and have to prepare a malicious .deb before. Regarding local repositories: These work fine if you sign them with a local key and make this key known to APT. When using reprepro, this requires only generating a key, adding SignWith: [key-id] to the configuration and calling apt-key to make the key known to APT. Regards, Ansgar -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
