Package: dpkg-dev Version: 1.14.5 Severity: grave Tags: security Justification: root security hole
>From /usr/bin/dpkg-source:
------------------------------------------------------------
if (-x '/usr/bin/gpg') {
my $gpg_command = 'gpg -q --verify ';
if (-r '/usr/share/keyrings/debian-keyring.gpg') {
$gpg_command = $gpg_command.'--keyring
/usr/share/keyrings/debian-keyring.gpg ';
}
$gpg_command = $gpg_command.quotemeta($dsc).' 2>&1';
my @gpg_output = `$gpg_command`;
my $gpg_status = $? >> 8;
if ($gpg_status) {
print STDERR join("",@gpg_output);
&error(sprintf(_g("failed to verify signature on %s"), $dsc))
if ($gpg_status == 1);
}
------------------------------------------------------------
This is bad: It silently accepts any package signed by any key in the
running user's keyring.
Steps to reproduce:
1. Download the public key of Adam Attacker.
2. Manually download the source (.dsc, orig.tar.gz and diff) of the
package `frobulator' from the official Debian archive. (For example,
if it's impossible to use apt-get as a normal user since the archive
is not in /etc/apt/sources.list.)
3. Run dpkg-source -x frobulator_1.0-1.dsc.
4. cd frobulator-1.0 && dpkg-buildpackage -rfakeroot
Expected results:
In step 3, dpkg-source verifies that the package is signed with a key
that is in the debian-keyring, and refuses to extract it if something
is wrong.
Actual results:
dpkg-source accepts the package silently (without printing any error
or warning at all) if the package is signed by the public key of Adam
Attacker, which is in the user's keyring.
In step 4, this leads to arbitrary code execution.
More information:
1. If debian-keyring does not exist, gpg is not given any --keyring
argument. This causes the user's default keyring to be used.
2. If debian-keyring exists, the --keyring option merely ADDS
debian-keyring to the keyrings used, hence the situation is as bad.
Also:
Suppose Adam Attacker has installed a rogue WLAN access point in my
university which I use when I download the sources and supplies me
with a hacked version of frobulator. I trust those sources anyway
because dpkg-source is supposed to verify that the package is signed
by a Debian Developer. Hence I go on to build the package (running
malicious code as normal user) and install it (running the code as
root).
Also notice that if the signature check fails with exit code 2, which
happens if the public key is not known, dpkg-deb happily extracts the
package. In this case the user sees the warning produced by gpg,
however.
Sami
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.22.3-sli (PREEMPT)
Locale: LANG=C, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages dpkg-dev depends on:
ii binutils 2.18-1 The GNU assembler, linker and bina
ii cpio 2.9-3 GNU cpio -- a program to manage ar
ii dpkg 1.14.5 package maintenance system for Deb
ii make 3.81-3 The GNU version of the "make" util
ii patch 2.5.9-4 Apply a diff file to an original
ii perl [perl5] 5.8.8-7 Larry Wall's Practical Extraction
ii perl-modules 5.8.8-7 Core Perl modules
Versions of packages dpkg-dev recommends:
ii bzip2 1.0.3-7 high-quality block-sorting file co
ii gcc [c-compiler] 4:4.2.1-5 The GNU C compiler
ii gcc-3.4 [c-compiler] 3.4.6-6 The GNU C compiler
ii gcc-4.1 [c-compiler] 4.1.2-16 The GNU C compiler
ii gcc-4.2 [c-compiler] 4.2.1-5 The GNU C compiler
-- no debconf information
signature.asc
Description: Digital signature
