Bladeren bron

* apt-pkg/acquire-item.cc:
- remove 'old' InRelease file if we can't get a new one before
proceeding with Release.gpg to avoid the false impression of a still
trusted repository by a (still present) old InRelease file.
Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214)

Effected are all versions >= 0.8.11

Possible attack summary:
- Attacker needs to find a user which has run at least one successful
'apt-get update' against an archive providing InRelease files.
- Create a Packages file with his preferred content.
- Attacker then prevents the download of InRelease, Release and
Release.gpg (alternatively he creates a valid Release file and sends
this, the other two files need to be missing either way).
- User updates against this, getting the modified Packages file without
any indication of being unsigned (beside the "Ign InRelease" and
"Ign Release.gpg" in the output of 'apt-get update').
=> deb files from this source are considered 'trusted' (and therefore the
user isn't asked for an additional confirmation before install)

David Kalnischkies 14 jaren geleden
bovenliggende
commit
de498a528c
2 gewijzigde bestanden met toevoegingen van 13 en 1 verwijderingen
  1. 7 0
      apt-pkg/acquire-item.cc
  2. 6 1
      debian/changelog

+ 7 - 0
apt-pkg/acquire-item.cc

@@ -1598,6 +1598,13 @@ void pkgAcqMetaClearSig::Failed(string Message,pkgAcquire::MethodConfig *Cnf) /*
 {
 {
    if (AuthPass == false)
    if (AuthPass == false)
    {
    {
+      // Remove the 'old' InRelease file if we try Release.gpg now as otherwise
+      // the file will stay around and gives a false-auth impression (CVE-2012-0214)
+      string FinalFile = _config->FindDir("Dir::State::lists");
+      FinalFile.append(URItoFileName(RealURI));
+      if (FileExists(FinalFile))
+	 unlink(FinalFile.c_str());
+
       new pkgAcqMetaSig(Owner,
       new pkgAcqMetaSig(Owner,
 			MetaSigURI, MetaSigURIDesc, MetaSigShortDesc,
 			MetaSigURI, MetaSigURIDesc, MetaSigShortDesc,
 			MetaIndexURI, MetaIndexURIDesc, MetaIndexShortDesc,
 			MetaIndexURI, MetaIndexURIDesc, MetaIndexShortDesc,

+ 6 - 1
debian/changelog

@@ -1,6 +1,11 @@
 apt (0.8.16~exp13) UNRELEASED; urgency=low
 apt (0.8.16~exp13) UNRELEASED; urgency=low
 
 
   [ David Kalnischkies ]
   [ David Kalnischkies ]
+  * apt-pkg/acquire-item.cc:
+    - remove 'old' InRelease file if we can't get a new one before
+      proceeding with Release.gpg to avoid the false impression of a still
+      trusted repository by a (still present) old InRelease file.
+      Thanks to Simon Ruderich for reporting this issue! (CVE-2012-0214)
   * apt-pkg/deb/dpkgpm.cc:
   * apt-pkg/deb/dpkgpm.cc:
     - chroot if needed before dpkg --assert-multi-arch
     - chroot if needed before dpkg --assert-multi-arch
     - ensure that dpkg binary doesn't have the chroot-directory prefixed
     - ensure that dpkg binary doesn't have the chroot-directory prefixed
@@ -65,7 +70,7 @@ apt (0.8.16~exp13) UNRELEASED; urgency=low
   * apt-pkg/contrib/fileutl.h:
   * apt-pkg/contrib/fileutl.h:
     - fix compat with FileFd::OpenDescriptor() in ReadOnlyGzip mode
     - fix compat with FileFd::OpenDescriptor() in ReadOnlyGzip mode
 
 
- -- David Kalnischkies <kalnischkies@gmail.com>  Sat, 03 Mar 2012 11:03:58 +0100
+ -- David Kalnischkies <kalnischkies@gmail.com>  Sun, 04 Mar 2012 22:40:27 +0100
 
 
 apt (0.8.16~exp12) experimental; urgency=low
 apt (0.8.16~exp12) experimental; urgency=low