Package: cdebootstrap Version: 0.5.9 Severity: grave Tags: security Usertags: gpg-clearsign
cdebootstrap can be tricked into unsigned data from an InRelease file. This makes the verification of the gpg signature useless. The particular bug here is in libdebian-installer (0.85)'s parser. It treats "-----BEGIN PGP SIGNED MESSAGE----- NOT" as a marker for the start of the signed data (which it obviously isn't). So one can prepend a InRelease file looking like ---- -----BEGIN PGP SIGNED MESSAGE----- NOT Hash: SHA1 <insert malicious Release file contents here> -----BEGIN PGP SIGNATURE----- NOT ---- to a valid InRelease file. gpgv will see the signature in the later part and report that there is no problem, but cdebootstrap will use the first part of the file. The easy workaround is to disable InRelease support which was already done for apt. Other options are splitting InRelease into Release and Release.gpg and verifying those OR using gpg to both extract the signed data and check the signature. Ansgar -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org