Control: tag -1 moreinfo On Sat, Nov 30, 2019 at 10:36:29PM +0100, Florian Zumbiehl wrote: > Package: apt > Version: 1.8.2 > Severity: critical > > APT now promotes using auth.conf to store repository credentials. > Unfortunately, the way these credentials are handled causes a confused > deputy style problem: > > The credentials to transmit for a request are selected not based on the > host name specified in the sources.list, but rather based on the URI that > is being requested. Thus, any repository server that APT ever makes an > HTTP(S) request to can issue an HTTP redirect to any URI that points to any > of the (other) servers for which credentials are stored in the auth.conf > file, and APT will then send those credentials to whatever endpoint that is > specified as the redirection target URI.
Yes, and why please tell, should that be a problem? That's how stuff works. If I requests https://a/b/c and it redirects me to https://x/y/z, I need login details for x/y/z to login. Saying we should send the credentials for a/b/c to x/y/z does not make a whole lot of sense. This also assumes that you have access to the a/b/c server _and_ the x/y/z server. > > Examples for how this could be exploited are: > > - The redirect could point to a different port on the server than where the > repository is hosted, possibly an unprivileged port where an attacker on > that server could be listening to receive the credentials. I don't understand. FWIW; credentials can be limited by port, and path. > > - The redirect could point to an HTTP URI to expose the credentials as > plain text on the wire, even where the sources.list entries for the > respective server point only to HTTPS URIs to protect from eavesdroppers. HTTPS->HTTP redirects are not allowed. > > - The redirect could point to an existing resource in the repository the > credentials are actually meant for in order to make APT download that > resource and then use it in a context it wasn't meant for, thus > potentially leaking contents of the password-protected repository. I don't understand. -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
