[Secure-testing-team] Bug#774838: weboob: insecure keyring handling
Cyril Brulebois
kibi at debian.org
Thu Jan 8 10:11:33 UTC 2015
Package: weboob
Version: 1.0-2
Severity: grave
Tags: security
Justification: security hole
Hi,
the keyring handling when adding a remote repository is… scary. Quoting
weboob/core/repositories.py:
| if not keyring.exists() or self.key_update > keyring.version:
| # This is a remote repository, download file
| try:
| keyring_data = browser.open(posixpath.join(self.url, self.KEYRING)).content
| sig_data = browser.open(posixpath.join(self.url, self.KEYRING + '.sig')).content
| except BrowserHTTPError as e:
| raise RepositoryUnavailable(unicode(e))
| if keyring.exists():
| if not keyring.is_valid(keyring_data, sig_data):
| raise InvalidSignature('the keyring itself')
| print('The keyring was updated (and validated by the previous one).')
| else:
| print('First time saving the keyring, blindly accepted.')
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
!!!
| keyring.save(keyring_data, self.key_update)
| print(keyring)
I would expect the Debian packages to contain some kind of trust chain
to bootstrap the keyring handling, and weboob to abort instead of
“blindly accepting” in other cases.
Mraw,
KiBi.
More information about the Secure-testing-team
mailing list