From f87338d2da95ba7d55a1a67b4506717e94d49bca Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Sat, 30 Nov 2013 23:07:20 +0100 Subject: [PATCH] cherry-pick ubuntus (disabled) net-update fixes MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit With the net-update command a special keyring can be downloaded and imported into apt, which must be signed by a master key. Its is currently disabled because of security problems with it – and the only known user before that was Ubuntu. --- cmdline/apt-key | 44 +++++--- .../exploid-keyring-with-dupe-keys.pub | Bin 0 -> 3986 bytes .../exploid-keyring-with-dupe-subkeys.pub | Bin 0 -> 2016 bytes test/integration/test-apt-key-net-update | 95 ++++++++++++++++++ 4 files changed, 126 insertions(+), 13 deletions(-) create mode 100644 test/integration/exploid-keyring-with-dupe-keys.pub create mode 100644 test/integration/exploid-keyring-with-dupe-subkeys.pub create mode 100755 test/integration/test-apt-key-net-update diff --git a/cmdline/apt-key b/cmdline/apt-key index 713a41c07..64cf5a6f4 100755 --- a/cmdline/apt-key +++ b/cmdline/apt-key @@ -25,17 +25,15 @@ GPG_CMD="$GPG_CMD --no-auto-check-trustdb --trust-model always" GPG="$GPG_CMD" -MASTER_KEYRING="" -#MASTER_KEYRING=/usr/share/keyrings/debian-master-keyring.gpg +MASTER_KEYRING='' eval $(apt-config shell MASTER_KEYRING APT::Key::MasterKeyring) -ARCHIVE_KEYRING_URI="" -#ARCHIVE_KEYRING_URI=http://ftp.debian.org/debian/debian-archive-keyring.gpg -eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) - -ARCHIVE_KEYRING=/usr/share/keyrings/debian-archive-keyring.gpg +ARCHIVE_KEYRING='/usr/share/keyrings/debian-archive-keyring.gpg' eval $(apt-config shell ARCHIVE_KEYRING APT::Key::ArchiveKeyring) -REMOVED_KEYS=/usr/share/keyrings/debian-archive-removed-keys.gpg +REMOVED_KEYS='/usr/share/keyrings/debian-archive-removed-keys.gpg' eval $(apt-config shell REMOVED_KEYS APT::Key::RemovedKeys) +ARCHIVE_KEYRING_URI='' +eval $(apt-config shell ARCHIVE_KEYRING_URI APT::Key::ArchiveKeyringURI) +TMP_KEYRING=/var/lib/apt/keyrings/maybe-import-keyring.gpg requires_root() { if [ "$(id -u)" -ne 0 ]; then @@ -57,7 +55,7 @@ init_keyring() { add_keys_with_verify_against_master_keyring() { ADD_KEYRING=$1 MASTER=$2 - + if [ ! -f "$ADD_KEYRING" ]; then echo "ERROR: '$ADD_KEYRING' not found" return @@ -72,12 +70,28 @@ add_keys_with_verify_against_master_keyring() { # all keys that are exported must have a valid signature # from a key in the $distro-master-keyring add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^pub | cut -d: -f5` + all_add_keys=`$GPG_CMD --keyring $ADD_KEYRING --with-colons --list-keys | grep ^[ps]ub | cut -d: -f5` master_keys=`$GPG_CMD --keyring $MASTER --with-colons --list-keys | grep ^pub | cut -d: -f5` + + # ensure there are no colisions LP: #857472 + for all_add_key in $all_add_keys; do + for master_key in $master_keys; do + if [ "$all_add_key" = "$master_key" ]; then + echo >&2 "Keyid collision for '$all_add_key' detected, operation aborted" + return 1 + fi + done + done + for add_key in $add_keys; do - ADDED=0 + # export the add keyring one-by-one + rm -f $TMP_KEYRING + $GPG_CMD --keyring $ADD_KEYRING --output $TMP_KEYRING --export $add_key + # check if signed with the master key and only add in this case + ADDED=0 for master_key in $master_keys; do - if $GPG_CMD --keyring $ADD_KEYRING --list-sigs --with-colons $add_key | grep ^sig | cut -d: -f5 | grep -q $master_key; then - $GPG_CMD --quiet --batch --keyring $ADD_KEYRING --export $add_key | $GPG --import + if $GPG_CMD --keyring $MASTER --keyring $TMP_KEYRING --check-sigs --with-colons $add_key | grep '^sig:!:' | cut -d: -f5 | grep -q $master_key; then + $GPG --import $TMP_KEYRING ADDED=1 fi done @@ -85,12 +99,16 @@ add_keys_with_verify_against_master_keyring() { echo >&2 "Key '$add_key' not added. It is not signed with a master key" fi done + rm -f $TMP_KEYRING } # update the current archive signing keyring from a network URI # the archive-keyring keys needs to be signed with the master key # (otherwise it does not make sense from a security POV) net_update() { + # Disabled for now as code is insecure (LP: #1013639 (and 857472, 1013128)) + exit 1 + if [ -z "$ARCHIVE_KEYRING_URI" ]; then echo >&2 "ERROR: Your distribution is not supported in net-update as no uri for the archive-keyring is set" exit 1 @@ -110,7 +128,7 @@ net_update() { if [ -e $keyring ]; then old_mtime=$(stat -c %Y $keyring) fi - (cd /var/lib/apt/keyrings; wget -q -N $ARCHIVE_KEYRING_URI) + (cd /var/lib/apt/keyrings; wget --timeout=90 -q -N $ARCHIVE_KEYRING_URI) if [ ! -e $keyring ]; then return fi diff --git a/test/integration/exploid-keyring-with-dupe-keys.pub b/test/integration/exploid-keyring-with-dupe-keys.pub new file mode 100644 index 0000000000000000000000000000000000000000..642952a403cb33ab2e1a07aa7e98dd1c944f5927 GIT binary patch literal 3986 zcmai$WmHt{7J#Q{hK>OQgdqeGr9rwo1O!2l7#gIzrAq~bAtZ(oP-&!*k`x3<>6A_> z38@Qsy`SH&d;Yv@owe6__j>lT&)z9OG(^p-2Sp44pakg1CpP@gqJCM9rl5$+CJDat z@Q6;fJ&y6UsOnI8WXGl33k~&=3lvHOaBX1$8ZtVn{34G(^hPG8p>|TT$|-nJ7T&EX zaF!u>pvqvfV>XYHx^BVV3Hu0I<~;W3k^Z;*Bij|W+0k*sHSRkrC~J0eKUJ4ey>ar; zn+C?D0Ms0uklKZ@pnS;fwXDoJ3MTq#*bM?mc}RPBVzh%zyJ}d_o0coWmXyTBl*I(Cx#+yJa#%gMf3NFneFlYh267{a`XYIB7&f27tM!4V+#*F*E{t3H+}uRqsm4k2g}RJ-Avu=xo(PF9}*_NAF&8i2q`fLz=#35 zsvw94jERSXjRgi_l4FB#aPc4%ATSU_2Lw?D0&sDNqIEWtCm=S1+mirPjiDK_UFWM0 zb}0V|@l>>HN#fz<+vo!6Po5SU3G8vzc}CD$(Gujl%n}d)Tmyt&J3<5jEOf;*bSDhO z(u_@#cQ%ccLy2ZqdX&YpcNoh_kU!YCofYCdir^Ib%DHDr*703oOl@_JwN-)MunW>HUQ_7Vp{~}EiASpDKiw7Nil8_ElDYaCc zu1IM-WINHGufb8ajn-EOfHArwFi@LJ#Ft5C6x;TDF?!rV5W6%Yowxgq9H^^zDI7{!x zMw?oFu}I>x;Vb~RPNB1hB2^o%nQ3n`hc4iTU2JMe&DnSE2t^3&k~_{H z?)ZP>#Rma0jo6bxu(x!{QhmC+zm(E8+G?y^0BLye$HEkyN@S4moP5>n!R{{llgcZ+ z$WE?PC(fzf+8dfh=3%i5ImD;y z>pEKgtdYIiKdPO|?)UD^Znh-)M-%GQQ&FmVTglyv266$2fdF7R#g%2;zh&e8Bb$j> zL^XsI_}jM2Z2zBa2rV6_x{B97;C2u|V6%O{JK={P!TNAl1>^^5pK&55GUxi+KB*e1 z`O07PXMXL|aW7Aoqb88ziz&ad&f6x9zvhuY;qZoMEFiQJ?8BFoO1z`fpVw5rv@*`8 zWq7>MsbWB8hQH>mx8oFEknW+AW?nI+F<`v}X z|3Myj&Kc?$KxZM)NrERWOtKDZ4V$xI(7D!65t^azrKsb_w%Jp=+4e3jJX=;{!g$A8~=7 z0HFPR?7>wJ%kv59$u_0w10buwUX9SOi{g{puy!)~ipg+UU;H3K)o=pjs&Ml9by{B7srv2W}TBFuIVY`JhoMQ;o3%0#W zpNLE{F_MpU$q%WBOzbK?jsebJi}@0)=G}b@0Ju~$4a9`px#K=xWq$E-t*~MH0YfY& z(HlH6PZPmI1~#qcS?&yAFAp63Vys$4=nPvXRuENs{7x{stYM??KB* zKy4yFT^sioy*gB>ZQ(g9O$-H(&;EB>4zcEZjb8Ah(82+S(^1(Fy?0BNbYHEh9@K>< zd%*2Oz??%GP7BXS?L}i0`^MMP-SCEZ{Ip9=FN{*TCqyGD1fr(b@RY&z^IZ)RX2__{ z!?9RQO?%A^-O`vvrOl%!Cd99{b{{iD;p-|I>{wG!cwN)Gh6VdKtVkX38FBl336@^5 z%BWzZL-Y*~&wSF6vOW1#*Kcf$Kl|^yRjpVZrVSXpRxTZ46^x9J+KY<{mDi$bH=HQo z@DtWX(>0YkuDwVR*5-YW#dVz3f36hl5n6Me5Ik*B^o9qu5C8|zJ6Rre3j}>9Jpw;? zzvrRMxh7lXw{fA^&1r#HHMv$z;8L}5l}put5*dKvRO23}f+O9}6A~Ux4H2k{2J;r^ zXaB&#Tmm|+qkvo%7V|)CpTCq4`mKb}wGyJ&N{p-gi30**5+Q04W)+v*rLkdgnPScP1ps0wjyDnEGZbhCOygv3)}cA#zcX*Xo| z_?GJdNwri3Gu}x^fH>>j$G=hFTeu-?xi0_Q7JqSAh5QKu0`b2B#a(ip7c)QSstt4O zop_M%D{e5nP>G_W6g^y8*Eh_{VpN^RlaCmm^SkDtep!|4R6u}MSbC}|LXXB1rD=br zD81Vj)*fmsDLIRZvRpt)?pJTS0-3QY(Y&E&e*E7l{b;dE{D`myKNOqiR2g}fo7Vq} z&)-QYoB+i*)AwS%Qf}5eI3UIB-Q`-hNr*!z)M5)e(<25p51$?wYi43)o>G!tC6#iu zjd-sS0=7(7LErRF@9EflAs8$KDGUO&T)quVR8>TLARSb}H$n z&7T53bUgL#>o}<|us@Kn7RLk9EN&c2GpP8I_)-;)Ga@6GHcroFaJ>-ga0w>c$PJ zHozy$o;q!pkF9P-@>|xm78Vn_xbxF*;Ia(JO5sUHPcAAo*0Ad??HxZlwEw!43`a)Q zt#G{jZwHv#nOI#ehu6nd<$;3#OzJhl|2L^0R*Xz$-rqEhB*X?}0p2(^C{%$E?<*g& zr|$Qa2gkEd=r{-2V(0R2SB;f=BFx|MnVEMEV$vf)Q;Ewn3# zXiwS+aA;k=t8dimG}cdyDYukHoQuT4dCr|ktN%{YR#teF5%LM1PS~(m+V}uvJN0Ry zNbS!op@_YU%%7i%!4$6Pr2S{ql@J5`q}gU}>bny?aJfE(4GK$Xkt$L79%EQ?SdN<5 zHpuZ_r^fEHvX3?^xX>j1gU{cm){~;-O>K|Tu^suIlG5%6yBfSxBHu74tnOi*Gk2~{6}~!3F~eA_x%$%e z-u&Ctwn!@k#_=`VJ^e3xihMekF-QcwwcK{^L7+*O1qsNRhV zX_8JW^uc`F$QDxvs|GBvhK~vfKg{kviV%BUPEUsxix%fiiWBB!D>W7>6wOjJ2==(; zpVzIMbB9EqK1XQCHo6hPV)`wmL$Xn-?`4SM)YjXSeKIqON5|XK+oKu~?5+7Dgf{Cx=ik7*=zLH_vz$f2{Mw@g3 z=@S%ZTn5+<1OV?z21NJ~^mLRp0?^9l0agJP>Fp3{APBG<3i_E7qyQEY6A^}iK|%;& zkcg-l1PKBIK}tZ7Y$8BZL=xYxb|{i&4L7WY04icMFo9~+hjoFxNfS;U&%#-&S!+pQ z<;PQoMelf-&V{?GnJ1Jqv1AHV{!YPk;wM9X_V@U0U9t1pRP-vf zuZHw3V|5+sx+#Em##nwn1iMuUgYSrGaF4&5sw%EjXRzmxs!D_l&u6kPy3YRLoGKdj zg$&#Wk^B)|=x6lC#h>xSzNI8s?m2MMLspmsJYaOt2K;iH?$eaGyUnZEy!5@8vFi0m z8ETS*l=s2RUJu-Zp>X*8K2hNUA4F8Fm3YV}kvAbs&g@^)`&fCRVra*;(z*|BL?j`D zskE_hU+MXLZyM>+v(ZZZR~1ZiTCfDE$~#KY&SUlk&gSFVOs-%%A&O&?I%g;_7h11t z9WS;2@Sw`StK`uY%HGK0gAG+<4Mqmp{%8A5gCmHwGD!!I>Q^MjtrwD!TQxorY(bT3)^aa z8xq|iC$>4Ao1C&s;l??}Otd;8C8T7~k9!XX92iy6BT$!-3j?pJ|F5q$_V0aZB?zYo z+h#_?QAY-2-3CV`({_!E4o~=5TxIhEXF=eG{i!?Xdg4$k=5t%|#iG#d?_SE;lh-2L zIz-Nx75KbS3J>tqa@Hw`imzo@#%-y}FPU(iHmwmYOFR4ZrR1M-uTxqIJaWJK0dz`h z-%IlcU?Q*%<%z;eHXc$n97X)2lL=1N>TNQLtwB#tt6Xl@C2|nGG)I~i6_rMRV^kcS z5}fPXYjZ^wk%46!7%|}1Ivk@vEH^xWLUZ!nf;q3?EEt-(r|nENam+IQW^w`M?KR`` z4Tuo#<71oCVs?f$<$epORY*N}P0{Iw6=zO@5y6&LNYDJ{dY}I0gq2G%nslkBD7n%6 zZOmN~+Q2ppeudcnKXeDVi{p+bm=^4A%VZ?ZxuH47FzMr$uz9wugS2iB`MHfA_b6+cM<7x{)y{%9K?192l33mP#v+~m36|M69lpT5T<>l9Jh*}ubKPDW| z&fn^EruiEgAEvs!AUMzmc29usKqzAxM;c8o7Tvk6^zOoSU6p^)O)r7$`0;j;U!aQr z&ZFHR1aO1uD9Y->&Ufrgt7I!#ob_eh)C?KRVl@sWuJN=Us6RS&c%%jX-G3KqnrYNk z>JFTG9a$K=QTHU4QWg|j%j@ciDwE4|E{$Uzzezg%MRT05hvH5=GPRTF)IY%rRep^( z8Lmx%L7!!e^i%-+^-9C;P1D`V6T|+dsa2%m#5;h>V5iZtNB{u%<4yKHmvUR6Z!rHHYqn9JmlHbQp{mu(Y?TM1PG*UiiG2-U+-MRgKIxHa zkN{8I{whr2ThHW{t-MR_WvOV>O4ma3p3F?OZ~1-xI8|(yp9W3c5X98!b!Ajo8Q`k= zFvpus<`CB!`3rJIv8Mr_1)}5%WODYsHKbKgj;)x(W=lm*1i?JNzNSI`D}B(HqP>6J zyWZkTmbzTlbxPVvNZS4BNiL4&zqNStgP3EAMUGTewe<|tT4aq?E zeC5GH7d7jWv0A-Zn%+NO#%5Xp88;7Iw@n>pEGLw7< zP3km1d3_qpihz~OT#Oqx4T_PEylWv3X~$&6|1}^JR4ju{1#3L_c?{xz{FnwLJG0PX z0zEb5jfkqgQmvwCY~18sdIa6^cS5anx`e`{ z8}BWJYYU*K%-*WMo|B0maC(mfbaU|J+zeM>T%1>f18E? literal 0 HcmV?d00001 diff --git a/test/integration/test-apt-key-net-update b/test/integration/test-apt-key-net-update new file mode 100755 index 000000000..d5205836f --- /dev/null +++ b/test/integration/test-apt-key-net-update @@ -0,0 +1,95 @@ +#!/bin/sh +set -e + +TESTDIR=$(readlink -f $(dirname $0)) +. $TESTDIR/framework + +setupenvironment +configarchitecture "i386" + +# mock +requires_root() { + return 0 +} + +# extract net_update() and import it +func=$( sed -n -e '/^add_keys_with_verify_against_master_keyring/,/^}/p' ${BUILDDIRECTORY}/apt-key ) +eval "$func" + +mkdir -p ./etc/apt +TRUSTEDFILE=./etc/apt/trusted.gpg +mkdir -p ./var/lib/apt/keyrings +TMP_KEYRING=./var/lib/apt/keyrings/maybe-import-keyring.gpg +GPG_CMD="gpg --ignore-time-conflict --no-options --no-default-keyring" +GPG="$GPG_CMD --keyring $TRUSTEDFILE" +MASTER_KEYRING=/usr/share/keyrings/ubuntu-master-keyring.gpg + + +msgtest "add_keys_with_verify_against_master_keyring" +if [ ! -e $MASTER_KEYRING ]; then + echo -n "No $MASTER_KEYRING found" + msgskip + exit 0 +fi + +# test bad keyring and ensure its not added (LP: #857472) +ADD_KEYRING=./keys/exploid-keyring-with-dupe-keys.pub +if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then + msgfail +else + msgpass +fi + +# ensure the keyring is still empty +gpg_out=$($GPG --list-keys) +msgtest "Test if keyring is empty" +if [ -n "" ]; then + msgfail +else + msgpass +fi + + +# test another possible attack vector using subkeys (LP: #1013128) +msgtest "add_keys_with_verify_against_master_keyring with subkey attack" +ADD_KEYRING=./keys/exploid-keyring-with-dupe-subkeys.pub +if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then + msgfail +else + msgpass +fi + +# ensure the keyring is still empty +gpg_out=$($GPG --list-keys) +msgtest "Test if keyring is empty" +if [ -n "" ]; then + msgfail +else + msgpass +fi + + +# test good keyring and ensure we get no errors +ADD_KEYRING=/usr/share/keyrings/ubuntu-archive-keyring.gpg +if add_keys_with_verify_against_master_keyring $ADD_KEYRING $MASTER_KEYRING; then + msgpass +else + msgfail +fi + +testequal './etc/apt/trusted.gpg +--------------------- +pub 1024D/437D05B5 2004-09-12 +uid Ubuntu Archive Automatic Signing Key +sub 2048g/79164387 2004-09-12 + +pub 1024D/FBB75451 2004-12-30 +uid Ubuntu CD Image Automatic Signing Key + +pub 4096R/C0B21F32 2012-05-11 +uid Ubuntu Archive Automatic Signing Key (2012) + +pub 4096R/EFE21092 2012-05-11 +uid Ubuntu CD Image Automatic Signing Key (2012) +' $GPG --list-keys + -- 2.50.0