Package: src:pybit Version: 1.0.0-2.1 Severity: grave Tags: security pybit disables apt's signature checks when retrieving source packages:
+--- | url = "deb-src http://cdn.debian.net/debian %s main " % buildreq.get_suite() | os.write(src_list, url) | cfg_str = "-o Apt::Get::AllowUnauthenticated=true -o Dir=%s -o Dir::State=%s -o Dir::Etc::SourceList=%s/sources.list -o Dir::Cache=%s" % \ +---[ http://sources.debian.net/src/pybit/1.0.0-2.1/pybitclient/apt.py/?hl=50#L50 ] As can be seen, it also includes a remote repository in the sources.list that could be target of a MitM attack. I assume (but did not verify) that pybit then proceeds to build the source package, possibly executing arbitrary code in case the connection to cdn.debian.net was compromised. Ansgar -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
