Bug#704613: marked as done (cdebootstrap: signature verification bypass with manipulated InRelease file)

[Debian Bug Tracking System]

Your message dated Mon, 15 Apr 2013 15:02:35 +0000
with message-id <e1urkvt-0007k7...@franck.debian.org>
and subject line Bug#704613: fixed in cdebootstrap 0.5.10
has caused the Debian Bug report #704613,
regarding cdebootstrap: signature verification bypass with manipulated 
InRelease file
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
704613: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704613
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: cdebootstrap
Version: 0.5.9
Severity: grave
Tags: security
Usertags: gpg-clearsign

cdebootstrap can be tricked into unsigned data from an InRelease file.
This makes the verification of the gpg signature useless.

The particular bug here is in libdebian-installer (0.85)'s parser. It
treats "-----BEGIN PGP SIGNED MESSAGE----- NOT" as a marker for the
start of the signed data (which it obviously isn't).

So one can prepend a InRelease file looking like

----
-----BEGIN PGP SIGNED MESSAGE----- NOT
Hash: SHA1

<insert malicious Release file contents here>

-----BEGIN PGP SIGNATURE----- NOT
----

to a valid InRelease file. gpgv will see the signature in the later part
and report that there is no problem, but cdebootstrap will use the first
part of the file.

The easy workaround is to disable InRelease support which was already
done for apt. Other options are splitting InRelease into Release and
Release.gpg and verifying those OR using gpg to both extract the signed
data and check the signature.

Ansgar

--- End Message ---

--- Begin Message ---

Source: cdebootstrap
Source-Version: 0.5.10

We believe that the bug you reported is fixed in the latest version of
cdebootstrap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 704...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Blank <wa...@debian.org> (supplier of updated cdebootstrap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 15 Apr 2013 16:23:16 +0200
Source: cdebootstrap
Binary: cdebootstrap cdebootstrap-static cdebootstrap-udeb
Architecture: source amd64
Version: 0.5.10
Distribution: unstable
Urgency: low
Maintainer: Bastian Blank <wa...@debian.org>
Changed-By: Bastian Blank <wa...@debian.org>
Description: 
 cdebootstrap - Bootstrap a Debian system
 cdebootstrap-static - Bootstrap a Debian system - static binary
 cdebootstrap-udeb - Bootstrap a Debian system - udeb (udeb)
Closes: 704613
Changes: 
 cdebootstrap (0.5.10) unstable; urgency=low
 .
   * Disable InRelease support. (closes: #704613)
Checksums-Sha1: 
 1435e8baff83136ede1e20a575f70d21452d087f 1024 cdebootstrap_0.5.10.dsc
 97cb1e9a5481d9d0f778cb7806764523237bc791 160558 cdebootstrap_0.5.10.tar.gz
 02ffc3758cdb56ae39215cb7c91a402c0a55fcf9 34308 cdebootstrap_0.5.10_amd64.deb
 fac5c83620a1cb445b934a357e0152e42cf28a3b 843376 
cdebootstrap-static_0.5.10_amd64.deb
 7e4cd1a9b41ed2cba4149a9081367c32d76c93fe 18680 
cdebootstrap-udeb_0.5.10_amd64.udeb
Checksums-Sha256: 
 50260daf1e7d2be255315ec0722b42e29b56ccb9081764e12ba63ddd08ae97fc 1024 
cdebootstrap_0.5.10.dsc
 8dd0e1ff0ebb3019a2abdda99630143d18ca5fed6823330f4c2754c3f0767980 160558 
cdebootstrap_0.5.10.tar.gz
 e09afbfe6be4593aae251cbfd9fe005ddcb4552258e8d91d693a26c9f64a93ab 34308 
cdebootstrap_0.5.10_amd64.deb
 94373f6bc4e882681a75cf5c097c3746c0aa9b700295e3e39ab237fc1d05aeb9 843376 
cdebootstrap-static_0.5.10_amd64.deb
 3e6415a3d8bca48795785db61096ba4fa44688de926257c1e16705db68e890b8 18680 
cdebootstrap-udeb_0.5.10_amd64.udeb
Files: 
 3c01a965aa5bc46235a9c4f2af9d716a 1024 admin optional cdebootstrap_0.5.10.dsc
 34ea8d2b87480b6c01170cee9d1ce55a 160558 admin optional 
cdebootstrap_0.5.10.tar.gz
 2b2049e779288c83a89935b3a476f832 34308 admin optional 
cdebootstrap_0.5.10_amd64.deb
 f300f68f31b0ce08c8017283d706a9f9 843376 admin optional 
cdebootstrap-static_0.5.10_amd64.deb
 5f7cc2fabdc032b6e105d1fba61b5b99 18680 debian-installer optional 
cdebootstrap-udeb_0.5.10_amd64.udeb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAlFsDjYACgkQLkAIIn9ODhH0TACfa5nSSPip6mnkZjzc4PIZrlfq
+y4AoOsgRNubv97AR0fCN1STg9z+VFh0
=C3AU
-----END PGP SIGNATURE-----

--- End Message ---