Package: cdebootstrap
Version: 0.5.9
Severity: grave
Tags: security
Usertags: gpg-clearsign

cdebootstrap can be tricked into unsigned data from an InRelease file.
This makes the verification of the gpg signature useless.

The particular bug here is in libdebian-installer (0.85)'s parser. It
treats "-----BEGIN PGP SIGNED MESSAGE----- NOT" as a marker for the
start of the signed data (which it obviously isn't).

So one can prepend a InRelease file looking like

----
-----BEGIN PGP SIGNED MESSAGE----- NOT
Hash: SHA1

<insert malicious Release file contents here>

-----BEGIN PGP SIGNATURE----- NOT
----

to a valid InRelease file. gpgv will see the signature in the later part
and report that there is no problem, but cdebootstrap will use the first
part of the file.

The easy workaround is to disable InRelease support which was already
done for apt. Other options are splitting InRelease into Release and
Release.gpg and verifying those OR using gpg to both extract the signed
data and check the signature.

Ansgar


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to