Apt vulnerability sparks Debian security discussion

By Jake Edge
June 18, 2014

Downloading packages from a distribution's repositories is generally considered to be a safe operation—packages are (or at least should be) signed and those signatures are verified before installation. Debian's Apt package manager has used cryptographic signatures to verify the authenticity of packages for more than ten years. So it was a rather large surprise to see a late May report that Apt doesn't require valid signatures for source packages.

Jakub Wilk found the bug when testing repositories with packages that didn't have any signatures. By using a proxy that returned 404 "not found" errors for any requests targeting Release.gpg or InRelease files (which hold the signatures), he found that installing or downloading binary packages failed (as expected). But he also found that downloading or unpacking a source package worked, as did building a binary package from the downloaded source package. That is clearly a flaw that a man in the middle (MITM) could exploit to put compromised source files onto Debian systems.

It is a difficult vulnerability to exploit, perhaps, and would require user assistance (i.e. building the package) to activate a malicious payload, but it certainly runs afoul of reasonable expectations. One can also imagine targeted attacks using the vulnerability that could be far more destructive. Worse yet, though, is that the normal methods for rebuilding the Debian archive (e.g. for a new architecture) would not detect this kind of tampering, as Thorsten Glaser pointed out. Those methods assume that apt-get source pkg always verifies the signature.

The problem in Apt was fixed quickly. The function that handles source packages simply needed to call the IsTrusted() method to verify the signature. In addition, a test case was added to catch this if the bug ever reappears. The bug was then closed by Michael Vogt on June 10, only to be reopened by Christoph Anton Mitterer two days later.

Although there was mention of contacting the security team in the bug, that evidently never happened. So one of the reasons that Mitterer reopened the issue was to ensure that a CVE got assigned and that a Debian Security Advisory (DSA) was issued. As he put it: "So IMHO this bug definitely deserves a CVE and a DSA,... so that people are informed that [their] systems might have been compromised (i.e. if an attacker tricked them into using forged sources)". A CVE was duly assigned (CVE-2014-0478) and DSA-2958-1 was issued.

But there are a number of larger issues here. Mitterer outlines some of them in his lengthy bug-reopening message. He is concerned that various pieces of Debian infrastructure are insufficiently secure against (mostly) MITM attacks. For example, Apt will work with unsigned repositories, which is seen as a feature by some. As David Kalnischkies said: "The 'problem; is that apt supports unsigned repositories as too many people would bitch too much if it would require a signature – it used to work before apt 0.6, it has to work forever, man – FOR EVER!" Glaser's description of the potential MITM problems with sbuild and cowbuilder also factor in. Beyond those, Mitterer wondered about the security verification in packages that download code from elsewhere (e.g. Tor browser or Flash plugin) and other Debian tools that grab code to be built or to create new systems (e.g. debootstrap).

But there is more to improving the security of Debian (or any project, for that matter) than just compiling lists of problem areas. As security team member Thijs Kinkhorst pointed out in a post to the debian-devel mailing list—where parts of the discussion moved—finding some piece of the problem to work on may be a better approach:

You raise a lot of broad concerns under the header "holes in secure apt" which I'm afraid does not [do] much to get us closer to a more secure Debian. Not many people will object that making Debian even more secure is a bad idea; it just needs concrete action, not a large list of potential areas to work on.

I suggest that you focus on one of those aspects of your email and take some concrete action to get it addressed.

Kalnischkies had a similar comment:

What is really sad is that many people keep talking about how much more secure everything should be but don't do the smallest bit of work to make it happen or even do a basic level of research themselves.

So instead of answering all your questions, I will instead leave them unanswered and say: Go on and check for yourself! You shouldn't trust a random guy like me anyway and if that leads to even one person contributing to apt (or the security team or anything else really) in this area, we have a phenomenal massive increase in manpower … (for apt in the 50% ballpark!)

But there certainly is value in collecting up problem areas and trying to figure what the "proper" solution should be, Mitterer argued. Because many of the solutions would require fairly major changes to how things are done and what types of behavior are allowed—policy decisions, essentially—they are not things that Mitterer (or any single developer) can directly address without involving others.

It's clear that there are some holes in Debian's packaging infrastructure. Beyond the bug that Wilk just found, he also encountered a bug that was reported over a year ago regarding the hash checking done for source packages. It turns out that Apt only checks the MD5 hash, even if there are SHA1 or SHA256 hashes available for the package. That seems rather sloppy, even though it may be hard or impossible to exploit—as Kalnischkies put it: "If you happen to have a same-size preimage attack on MD5 I would be interested to hear about it."

Mitterer is trying to raise the profile of these problems—with many lengthy replies throughout the bug and mailing list threads—but there is little evidence that much progress has been made. Some of the problems may be less dangerous or harder to exploit than Mitterer makes them out to be, but they add up to something that should be a bit worrisome. The inertia of a long-running project may be working against some kind of concerted effort to address the problems, as "we've always done it that way" can sometimes be a powerful, if potentially problematic, argument. It will be interesting to see what, if any, attention these problems get over time—it may require someone to drive the process with more than just ideas and words.

Index entries for this article
Security	Distribution security

Apt vulnerability sparks Debian security discussion

Posted Jun 20, 2014 22:03 UTC (Fri) by jeroen (guest, #12372) [Link]

The inertia of a long-running project may be working against some kind of concerted effort to address the problems, as "we've always done it that way" can sometimes be a powerful, if potentially problematic, argument. It will be interesting to see what, if any, attention these problems get over time—it may require someone to drive the process with more than just ideas and words.

That is indeed what is required as far as I can see. I wouldn't classify the responses on debian-devel as "we've always done it that way", but more like "we know there are better ways, but we don't have the manpower to implement it, you are welcome to contribute".

Apt vulnerability sparks Debian security discussion

Posted Jun 21, 2014 18:18 UTC (Sat) by kleptog (subscriber, #1183) [Link]

I wonder is you could test this using some kind of fuzzing proxy. One that intercepts downloads and randomly alters some bytes to see if the build process detects it.

To making this testing at all feasible (as in finish in a reasonable timespan) you'd need to be able to suspend and clone groups of processes. Docker doesn't seem to have a clone/fork option yet.

Basically you'd start building a package and before each download you suspend the build, clone it, run it with a fuzzed download and see if the build aborts. If it does, restore and do it with the real file until the next download. Technically possible, but I'm not sure if all the necessary infrastructure is available now. You might be able to do it VMs, but I'm not sure if you have the necessary control.

Apt vulnerability sparks Debian security discussion

Posted Jul 3, 2014 5:27 UTC (Thu) by jgg (subscriber, #55211) [Link] (3 responses)

Somewhere along the line something got lost..

The source package download includes the .dsc file, which contains a GPG signatures of the uploading developer and more hashes. The dpkg-source is supposed to check all this, and certainly in an autobuilder context or something like that the default 'succeed if the key is not found' behaviour should be turned off.

Apt vulnerability sparks Debian security discussion

Posted Jul 9, 2014 19:29 UTC (Wed) by jwilk (subscriber, #63328) [Link] (2 responses)

Using .dsc signatures for automatic authentication of source packages wouldn't work well.

Not every .dsc in the Debian archive has a valid PGP signature. The package might have been signed years ago by a person who is no longer a DD, or who has migrated to a different key.

Conversely, valid PGP signature on .dsc does not imply that the package comes from the Debian archive. Perhaps the signature was made years ago by a person who wasn't even a DD back then, and the package was only uploaded to mentors.debian.net, but never to Debian proper. Perhaps this then-unexperienced person made a fatal packaging mistake, that'll cause your $HOME to be wiped upon build...

Apt vulnerability sparks Debian security discussion

Posted Jul 10, 2014 13:19 UTC (Thu) by mathstuf (subscriber, #69389) [Link] (1 responses)

I guess this is just a difference in structure, but why doesn't Debian have an official build system which signs packages (like Fedora)? Are equivalents of mock's build.log (log of the build/install with all commands run) and root.log (log of what is installed for the build) available for Debian packages? It makes sense to me to require source modifications to use DD keys, but to me, binaries should be vetted by Debian (otherwise a DD should use a different key for any personal packages they may like to sign).

Apt vulnerability sparks Debian security discussion

Posted Jul 11, 2014 17:06 UTC (Fri) by cortana (subscriber, #24596) [Link]

(AFAIK) It works like this:

1. Developer builds a package (dpkg-buildpackage). This results in an ${arch}.changes file, signed by the developer's key. This file is an index, with metadata about the package, including a list of files that comprise the source package and the binary packages (.debs), and their corresponding hashes.

2. Developer runs dput on the .changes file, which uploads the file, along with the files referenced with in it, to the Debian archive. Archive processing software checks the hashes of the uploaded files against the .changes file, and the signature of the .changes file against the Debian keyring.

3. Assuming the hash/signature checks passed, the source/binary package files are installed into the archive. The hashes of the source and binary package files are recorded in the Sources and Packages files, which are themselves signed by the Debian archive key.

What has now been uploaded is a source package + the binaries for a build of that package on a particular architecture.

4. The build daemons now build the source package for the architectures that the developer didn't originally build the package for. (e.g., if the developer uploads source+amd64 binaries, i386/arm/ppc etc binaries are now built).

5. These binary-only builds are signed by the build daemon's keys and installed into the archive. The hashes of the binary files are recorded in the Packages file, which is signed by the Debian archive key.

This does mean that for any source package, one of the builds for the n architectures supported by debian will have been done on a local developer's machine. There are various tools that can be used to mitigate the likelihood that this local build will have been done in a non-clean environment (e.g., pbuilder), but nothing forces a developer to use them.

At present Debian does not at this time accept source-only uploads. There have been proposals to allow this, but this lets lazy developers waste project resources by uploading packages that they are not sure are able to be built. It has been suggested that instead, the binaries uploaded in stage 2 should be thrown away, and that the buildds should build the package for all architectures. This sounds like a good idea to me, I think it's just that no one has gotten around to it yet.

Apt vulnerability sparks Debian security discussion

Posted Jul 6, 2014 1:12 UTC (Sun) by toyotabedzrock (guest, #88005) [Link]

If you want people to change to more secure systems spend some time and make it stupid simple. Make it easy for people creating packages to sign them in an automated way. It has to be stupidly simple and well documented. Pretend a windows user is going to be using it.

Apt vulnerability sparks Debian security discussion

Posted Jul 9, 2014 12:18 UTC (Wed) by tomgj (guest, #50537) [Link]

The article states that Debian has signed packages, but that is not quite the case. Debian has signed repositories. The signature applies to a whole repository via the release and index files. This leads to a user-visible signature trail with rather different characteristics from the case where each package is signed.

An example of a system with per-package signing is Fedora.

As a side note it is a shame that a signature is contained in a file called Release.gpg. The protocol used for the signing is OpenPGP. gpg refers to a particular implementation. While that may be the implementation currently used by Debian to create the signature, this implementation detail shouldn't have leaked into the public filename, which is a public interface.