From de498a528cd6fc36c4bb22bf8dec6558e21cc9b6 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sun, 4 Mar 2012 22:50:21 +0100 Subject: * apt-pkg/acquire-item.cc: - remove 'old' InRelease file if we can't get a new one before proceeding with Release.gpg to avoid the false impression of a still trusted repository by a (still present) old InRelease file. Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214) Effected are all versions >= 0.8.11 Possible attack summary: - Attacker needs to find a user which has run at least one successful 'apt-get update' against an archive providing InRelease files. - Create a Packages file with his preferred content. - Attacker then prevents the download of InRelease, Release and Release.gpg (alternatively he creates a valid Release file and sends this, the other two files need to be missing either way). - User updates against this, getting the modified Packages file without any indication of being unsigned (beside the "Ign InRelease" and "Ign Release.gpg" in the output of 'apt-get update'). => deb files from this source are considered 'trusted' (and therefore the user isn't asked for an additional confirmation before install) --- debian/changelog | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'debian/changelog') diff --git a/debian/changelog b/debian/changelog index 6cd2e70a7..4af60dc61 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,11 @@ apt (0.8.16~exp13) UNRELEASED; urgency=low [ David Kalnischkies ] + * apt-pkg/acquire-item.cc: + - remove 'old' InRelease file if we can't get a new one before + proceeding with Release.gpg to avoid the false impression of a still + trusted repository by a (still present) old InRelease file. + Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214) * apt-pkg/deb/dpkgpm.cc: - chroot if needed before dpkg --assert-multi-arch - ensure that dpkg binary doesn't have the chroot-directory prefixed @@ -65,7 +70,7 @@ apt (0.8.16~exp13) UNRELEASED; urgency=low * apt-pkg/contrib/fileutl.h: - fix compat with FileFd::OpenDescriptor() in ReadOnlyGzip mode - -- David Kalnischkies Sat, 03 Mar 2012 11:03:58 +0100 + -- David Kalnischkies Sun, 04 Mar 2012 22:40:27 +0100 apt (0.8.16~exp12) experimental; urgency=low -- cgit v1.2.3