[Secure-testing-team] Bug#778878: apt (and /etc/cron.daily/apt as well) don't notify about failed package updates
Christoph Anton Mitterer
calestyo at scientia.net
Sat Feb 21 00:37:57 UTC 2015
Package: apt
Version: 1.0.9.6
Severity: important
Tags: security
Hi Davit (et all).
Just the same time we're having a similar discussion about this
at with the security time, I got hit by it again in another manner.
As we now all know, apt unfortunately doesn't tell people (adequately)
when updating the package lists have failed, e.g.:
# apt-get update
Hit http://debian.mirror.lrz.de stable Release.gpg
Err http://security.debian.o stable/updates Release.gpg
Could not resolve 'security.debian.o'
Err http://security.debin.o stable/updates Release.gpg
Could not resolve 'security.debin.o'
Hit http://debian.mirror.lrz.de stable-updates Release.gpg
Err http://debian.mirror.lrz.d oldstable Release.gpg
Could not resolve 'debian.mirror.lrz.d'
Err http://debian.mirror.lrz.d stable Release.gpg
Could not resolve 'debian.mirror.lrz.d'
Err http://debian.mirror.lrz.d stable-updates Release.gpg
Could not resolve 'debian.mirror.lrz.d'
Hit http://debian.mirror.lrz.de stable Release
Hit http://debian.mirror.lrz.de stable-updates Release
Hit http://debian.mirror.lrz.de stable/main Sources
Hit http://debian.mirror.lrz.de stable/contrib Sources
Hit http://debian.mirror.lrz.de stable/non-free Sources
Hit http://debian.mirror.lrz.de stable-updates/main Sources
Hit http://debian.mirror.lrz.de stable-updates/contrib Sources
Hit http://debian.mirror.lrz.de stable-updates/non-free Sources
Reading package lists... Done
W: Failed to fetch http://debian.mirror.lrz.d/debian/dists/oldstable/Release.gpg Could not resolve 'debian.mirror.lrz.d'
W: Failed to fetch http://debian.mirror.lrz.d/debian/dists/stable/Release.gpg Could not resolve 'debian.mirror.lrz.d'
W: Failed to fetch http://debian.mirror.lrz.d/debian/dists/stable-updates/Release.gpg Could not resolve 'debian.mirror.lrz.d'
W: Failed to fetch http://security.debian.o/debian-security/dists/stable/updates/Release.gpg Could not resolve 'security.debian.o'
W: Failed to fetch http://security.debin.o/debian-security/dists/stable/updates/Release.gpg Could not resolve 'security.debin.o'
W: Some index files failed to download. They have been ignored, or old ones used instead.
# echo $?
0
1) I've already expressed my concerns before, that Warning and exit=0
isn't enough here.
People may depend on the package lists being up-to-date for example for
unattended upgrades or checking for upgradable packages via Nagios
(check_apt) and friends.
An attacker can of course rather easily just block these downloads,
thus if this doesn't get properly noted, he can easily prevent and further
upgrades from being installed (with automated unattended upgrades) respectively
prevent that people even notice that upgrades are available.
So the first issue here is that apt is to silent about this.
2) The second problem is IMHO sepcifically in /etc/cron.daily/apt
and would even persist when (1) is solved.
That script is in principle really nice as it gives one quite powerful
means to automatically handle some things (updating package lists, etc.)
But a bit problem is, that it basically fails silently in all cases of
problems.
VERBOSE mode is of course not really a solution as this would give
*always* warnings via cron.
So the second issue is, that /etc/cron.daily/apt never tells people
when anything didn't work (e.g. updates, upgrades, or whatever).
So one has never a chance to notice this, and never a chance to fix it.
In some cases of what it's intended to do (i.e. package list updates or
upgrades) this may very easily have security implications (e.g. in
combination with blocking attacks).
Best wishes,
Chris.
More information about the Secure-testing-team
mailing list