Package: apt-offline
Version: 1.7.2
Severity: serious
Tags: security
Dear Maintainer,
apt-offline claims to do gpg validation of the contents of the zip file and
claims that this is an important thing for it to do.
--allow-unauthenticated
Don't verify GPG signatures for the data to be installed to APT.
Usage of this option is highly discouraged.
However, it appears that apt-offline only verifies the GPG signature on the
Release file. If that check passes, then it is assumed that all referenced
resources (Packages files) are OK and apt-offline does not check that the
hashes for the Packages files are indeed correct. These Packages files are
then fed directly to apt. Once apt has been fed a manipulated Packages file,
it will then trust the .deb packages that it refers to.
One can take a zip bundle, decompress it, alter the Packages file and the
altered
file was no rejected by "apt-offline install bundle.zip".
It seems that the existing GPG check of the Release file is rather pointless
and gives a false sense of security validation. Either the bundle.zip has been
securely handled all along and the GPG check is unnecessary, or bundle.zip has
not been securely handled and it is incorrectly trusted.
regards
Stuart
-- System Information:
Debian Release: 9.1
APT prefers proposed-updates
APT policy: (550, 'proposed-updates'), (500, 'stable-debug'), (500,
'stable'), (60, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8),
LANGUAGE=en_AU:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apt-offline depends on:
ii apt 1.4.7
ii less 481-2.1
ii libpython2.7-stdlib [python-argparse] 2.7.13-2
ii python 2.7.13-2
ii python-magic 1:5.30-1
Versions of packages apt-offline recommends:
ii debian-archive-keyring 2017.5
ii python-lzma 0.5.3-3
ii python-soappy 0.12.22-1
apt-offline suggests no packages.
-- no debconf information
