severity 781594 normal thanks On Tue, 31 Mar 2015 14:30:06 +0200 Ansgar Burchardt <ans...@debian.org> wrote:
> Package: src:pybit > Version: 1.0.0-2.1 > Severity: grave > Tags: security > > pybit disables apt's signature checks when retrieving source packages: The apt backend is not enabled by default - the principle build backend is svn hooks. The apt backend was started as an example but never completed. Therefore, this particular code path is not active. Additionally, pybit has no support for building packages destined to be released as it makes changes to the package changelogs for it's own needs which would raise numerous (iirc fatal) lintian errors. (i.e. the final packages are pybit NMUs by a fake pybit user.) > > +--- > | url = "deb-src http://cdn.debian.net/debian %s main " % > buildreq.get_suite() | os.write(src_list, url) > | cfg_str = "-o Apt::Get::AllowUnauthenticated=true -o > Dir=%s -o Dir::State=%s -o Dir::Etc::SourceList=%s/sources.list -o > Dir::Cache=%s" % \ > +---[ > http://sources.debian.net/src/pybit/1.0.0-2.1/pybitclient/apt.py/?hl=50#L50 > ] > > As can be seen, it also includes a remote repository in the > sources.list that could be target of a MitM attack. This is one of the areas which needed completion as this needed to be configurable. > I assume (but did not verify) that pybit then proceeds to build the > source package, possibly executing arbitrary code in case the > connection to cdn.debian.net was compromised. It would only do that if someone (fixed/completed and then) enabled the apt backend. A warning could be added to the docs but that is about as far as this would go. -- Neil Williams ============= http://www.linux.codehelp.co.uk/
pgph06mD5ehkY.pgp
Description: OpenPGP digital signature
