[lug] Package manager vulnerabilities [was Re: Pencast of Trent Hein - Practical Security]

Paul E Condon pecondon at mesanetworks.net
Thu Oct 22 10:29:57 MDT 2009


On 20091022_021724, Sean Reifschneider wrote:
> On 10/21/2009 08:45 PM, David L. Anselmi wrote:
> > I don't know about the current mirror policy.  Perhaps that was before 
> > they started distributing the archive keyring (only a year or two).  Now 
> 
> Correct, they have fixed it "recently" (a couple of years ago sounds
> right).  It was just annoying that "all the other" distros had signed
> packages, and they acknowledged that it was a problem in that they didn't
> condone mirroring of security packages, but the hole was still there for
> exploiting in non-security base packages.
> 
> It's all fixed now, all the way around.  Which is very nice.  It was just
> annoying at the time.

There still is a problem with an adjunct service, Debian Backports.
Debian backports uses the Debian packaging system (what else would
make sense?)  and signs its packages with its own signing key, using
the same software that is used for debian main. It's signing key is
distributed in a backports package, just as the debian main key is
available in a debian main package.

But the debian main key is also distributed as part of the iso image
of debian install disks, so, in practice, no user ever downloads
packages from a debian mirror onto a computer that doesn't already
have the signing key installed and available for use in checking.

This service is not made available by debian main to debian
backports. So one can't get started on signature checking of backports
without first downloading the backport signing key, and to do this
one must override the signature check on the signature key
package. The backports people are aware of this problem, and have
attempted to get their key package uploaded into debian main, where it
could be downloaded securely under the protection of the debian main
key, but debian main people think there is no problem.

The current situation has a visible hole, visible to every user when
they first start using debian backports.

There is also a not so visible hole in that the distribution of
signature key on iso images can be compromised with the users who
install from counterfeit images never realizing that all the signing
stuff that is described on the web site doesn't really apply to them.

I use Debian. For me the package distribution system is trusted even
though I know it is not completely trustworthy. I figure that if I 
stay alert, I will notice self consistency errors in a compromised
system. But maybe not.


> 
> Yay for cryptographic signatures.  Now if we could just have them on DNS.
> DLAV to the rescue...
> 
> Sean
> -- 
> Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
> tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability
> 



> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#hackingsociety

-- 
Paul E Condon           
pecondon at mesanetworks.net



More information about the LUG mailing list