diff options
| author | David Kalnischkies <kalnischkies@gmail.com> | 2012-03-04 22:50:21 +0100 |
|---|---|---|
| committer | David Kalnischkies <kalnischkies@gmail.com> | 2012-03-04 22:50:21 +0100 |
| commit | de498a528cd6fc36c4bb22bf8dec6558e21cc9b6 (patch) | |
| tree | f7be862922cb9735027f53e9cde8bfe9bf6dc4db | |
| parent | 43c1ca5d1eb8101e3a52d19a2175c14817e6dd14 (diff) | |
* apt-pkg/acquire-item.cc:
- remove 'old' InRelease file if we can't get a new one before
proceeding with Release.gpg to avoid the false impression of a still
trusted repository by a (still present) old InRelease file.
Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214)
Effected are all versions >= 0.8.11
Possible attack summary:
- Attacker needs to find a user which has run at least one successful
'apt-get update' against an archive providing InRelease files.
- Create a Packages file with his preferred content.
- Attacker then prevents the download of InRelease, Release and
Release.gpg (alternatively he creates a valid Release file and sends
this, the other two files need to be missing either way).
- User updates against this, getting the modified Packages file without
any indication of being unsigned (beside the "Ign InRelease" and
"Ign Release.gpg" in the output of 'apt-get update').
=> deb files from this source are considered 'trusted' (and therefore the
user isn't asked for an additional confirmation before install)
| -rw-r--r-- | apt-pkg/acquire-item.cc | 7 | ||||
| -rw-r--r-- | debian/changelog | 7 |
2 files changed, 13 insertions, 1 deletions
diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc index 4e6fb7ff9..545a57d37 100644 --- a/apt-pkg/acquire-item.cc +++ b/apt-pkg/acquire-item.cc @@ -1598,6 +1598,13 @@ void pkgAcqMetaClearSig::Failed(string Message,pkgAcquire::MethodConfig *Cnf) /* { if (AuthPass == false) { + // Remove the 'old' InRelease file if we try Release.gpg now as otherwise + // the file will stay around and gives a false-auth impression (CVE-2012-0214) + string FinalFile = _config->FindDir("Dir::State::lists"); + FinalFile.append(URItoFileName(RealURI)); + if (FileExists(FinalFile)) + unlink(FinalFile.c_str()); + new pkgAcqMetaSig(Owner, MetaSigURI, MetaSigURIDesc, MetaSigShortDesc, MetaIndexURI, MetaIndexURIDesc, MetaIndexShortDesc, diff --git a/debian/changelog b/debian/changelog index 6cd2e70a7..4af60dc61 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,11 @@ apt (0.8.16~exp13) UNRELEASED; urgency=low [ David Kalnischkies ] + * apt-pkg/acquire-item.cc: + - remove 'old' InRelease file if we can't get a new one before + proceeding with Release.gpg to avoid the false impression of a still + trusted repository by a (still present) old InRelease file. + Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214) * apt-pkg/deb/dpkgpm.cc: - chroot if needed before dpkg --assert-multi-arch - ensure that dpkg binary doesn't have the chroot-directory prefixed @@ -65,7 +70,7 @@ apt (0.8.16~exp13) UNRELEASED; urgency=low * apt-pkg/contrib/fileutl.h: - fix compat with FileFd::OpenDescriptor() in ReadOnlyGzip mode - -- David Kalnischkies <kalnischkies@gmail.com> Sat, 03 Mar 2012 11:03:58 +0100 + -- David Kalnischkies <kalnischkies@gmail.com> Sun, 04 Mar 2012 22:40:27 +0100 apt (0.8.16~exp12) experimental; urgency=low |