Bug#863317: apt: susceptible to replay attacks

[Julian Andres Klode <jak@debian.org>]

On Thu, May 25, 2017 at 01:30:13PM +0200, Jakub Wilk wrote:
> Package: apt
> Version: 1.0.9.8.4
> Tags: security
> 
> Nearly a decade ago, Valid-Until fields were added to Release files (bug
> #499897). The primary motivation for this was to protect from a
> man-in-the-middle adversary from serving an outdated copy of the security
> mirror.
> 
> Unfortunately, this protection is ineffective. All the attacker needs to do
> to hide security updates is to replace all the files from
> http://security.debian.org/dists/$DIST/updates/ with the ones from
> http://deb.debian.org/debian/dists/$DIST/ .

That's easily fixable by enabling key pinning for the security repository, see
https://wiki.debian.org/DebianRepository/Format?action=show&redirect=RepositoryFormat#Signed-By
(and sources.list(5)).

Note that you have to pin both the master and the subkeys (actually
only the latter), as APT only checks the concrete key fingerprints
(at some point it might check the master key too).

If you want a more generic thing, you could add some kind of UUID to
Release files that must not change for a given repository. But that's
really just less safe than using key pinning.

Key pinning is supported since APT 1.3, so I'd say the bug is solved
from our side (apart from the subkey/master key issue perhaps).

-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev
                  |  Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline').  Thank you.