[Secure-testing-team] Bug#579028: pbuilder: installs untrusted packages without asking
Ansgar Burchardt
ansgar at 2008.43-1.org
Sat Apr 24 15:01:36 UTC 2010
Package: pbuilder
Version: 0.196
Severity: grave
Tags: security
Justification: user security hole
Hi,
pbuilder will by default install packages from untrusted sources. This
means the system can be compromised by a man in the middle providing
malicious packages. There also seems no way to get pbuilder to stop
doing so.
pbuilder should (in the default configuration) not install packages that
are not trusted, only when the user explicitly requests this explicitly.
Also when creating the chroot with debootstrap, the --keyring option
should be used so that debootstrap will check for a valid signature.
Regards,
Ansgar
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the Secure-testing-team
mailing list