[xen-tools-discuss] Bug#776487: Security concerns with calling "apt-get --force-yes"

Wed Jan 28 16:56:42 CET 2015

Package: xen-tools
Version: 0.4-1
Severity: important
Tags: security
Control: retitle -1 xen-tools: Security concerns with calling "apt-get --force-yes"
Contro: submitter -1 Sebastian Pipping <sebastian at pipping.org>

Hi,

On Wed, Jan 28, 2015 at 02:31:51PM +0100, Axel Beckert wrote:
> On Wed, Jan 28, 2015 at 11:57:43AM +0100, Sebastian Pipping wrote:
> > If I am not mistaken, --force-yes makes apt-get ignore GPG verification
> > errors which may lead to installation of malicious Debian packages in a
> > man-in-the-middle scenario.
> 
> It's currently not clear to me if it would indeed do this.

Given any of these two command calls in xen-tools' code:

bin/xen-update-image:            "DEBIAN_FRONTEND=noninteractive  chroot $tmp /usr/bin/apt-get upgrade --yes --force-yes"
hooks/common.sh:    DEBIAN_FRONTEND=noninteractive chroot ${prefix} /usr/bin/apt-get --yes --force-yes install "$@"

The question is: Would they install unauthenticated packages as they
may happen with e.g. a man-in-the-middle attack?

Looking at apt-private/private-download.cc of apt 1.0.96, lines 34 ff.:

     34 bool AuthPrompt(std::string UntrustedList, bool const PromptUser)
     35 {
     36    ShowList(c2out,_("WARNING: The following packages cannot be authenticated!"),UntrustedList,"");
     37 
     38    if (_config->FindB("APT::Get::AllowUnauthenticated",false) == true)
     39    {
     40       c2out << _("Authentication warning overridden.\n");
     41       return true;
     42    }
     43 
     44    if (PromptUser == false)
     45       return _error->Error(_("Some packages could not be authenticated"));
     46 
     47    if (_config->FindI("quiet",0) < 2
     48        && _config->FindB("APT::Get::Assume-Yes",false) == false)
     49    {
     50       c2out << _("Install these packages without verification?") << std::flush;
     51       if (!YnPrompt(false))
     52          return _error->Error(_("Some packages could not be authenticated"));
     53 
     54       return true;
     55    }
     56    else if (_config->FindB("APT::Get::Force-Yes",false) == true)
     57       return true;
     58 
     59    return _error->Error(_("There are problems and -y was used without --force-yes"));
     60 }

Let's say APT::Get::AllowUnauthenticated is not set. There are two paths to get there:

cmdline/apt-get.cc:860:   if (UntrustedList != "" && !AuthPrompt(UntrustedList, false))

With PromptUser set to false (as in apt-get.cc), we're safe as far as I can see.

apt-private/private-download.cc:21:bool CheckAuth(pkgAcquire& Fetcher, bool const PromptUser)
apt-private/private-download.cc:22:{
apt-private/private-install.cc:[...]:
apt-private/private-install.cc:263:   if (!CheckAuth(Fetcher, true))
apt-private/private-install.cc:264:      return false;

With PromptUser set to true, we need to dig further. From
apt-private/private-install.cc:

    205    // Fail safe check
    206    if (_config->FindI("quiet",0) >= 2 ||
    207        _config->FindB("APT::Get::Assume-Yes",false) == true)
    208    {
    209       if (Fail == true && _config->FindB("APT::Get::Force-Yes",false) == false)
    210          return _error->Error(_("There are problems and -y was used without --force-yes"));
    211    }         
    [...]
    263    if (!CheckAuth(Fetcher, true))
    264       return false;

The first a Force-Yes check continues with --force-yes. CheckAuth will
call AuthPrompt. Since we don't use "quiet", it will go into the
"else" clause in line 56 in the code listing on top of this mail. And
then it will indeed pass if Force-Yes is set.

So there is indeed an issue there. I though have to figure out if
installing old releases from archive.debian.org still works (reasoning
see [0]) before I can propose a patch. According to the original
author, Steve Kemp, this kind of issues will reoccur[1] if --force-yes
is removed from the aforementioned calls.

  [0] http://xen-tools.org/pipermail/xen-tools-discuss/2015-January/001086.html
  [1] http://xen-tools.org/pipermail/xen-tools-discuss/2015-January/001090.html

See [2] for why this issue is reported as present in 0.4-1.

  [2] http://xen-tools.org/pipermail/xen-tools-discuss/2015-January/001088.html 

		Kind regards, Axel
-- 
/~\  Plain Text Ribbon Campaign                   | Axel Beckert
\ /  Say No to HTML in E-Mail and News            | abe at deuxchevaux.org  (Mail)
 X   See http://www.nonhtmlmail.org/campaign.html | abe at noone.org (Mail+Jabber)
/ \  I love long mails: http://email.is-not-s.ms/ | http://abe.noone.org/ (Web)