On Fri, Jan 23, 2015 at 6:42 AM, Stephen Dowdy wrote: > SUMMARY: > Q: Can a registered 3rd party repo spoof critical packages (e.g. > libc6) and have them installed on apt 'upgrade' operations?
Yes. > Q: What are the best ways (configuration) to help manage 3rd party > repos to constrain their capabilities? Setup a dpkg excludes configuration to prevent installation of cron jobs, systemd units, init scripts and so on. Setup some apt pinning to only allow certain packages from the 3rd-party repo. This may not work in the case of a malicious repository, one would have to do some testing first. If that doesn't work then you'll need new apt configuration options for this. Implement an option in apt/dpkg to disable maintainer scripts for repos that don't need them or shouldn't be trusted to have them. > Is it possible for a 3rd party repository/source added in > /etc/apt/sources.list.d/ to compromise a system by spoofing a new > (higher) version of a critical package, such as 'libc6'? Yes, of course. The package name does not matter btw, any untrusted Debian package can compromise your system. Don't install untrusted software on your systems. Personally, right now I would do this: Create a new reprepro-based repository with the 3rd-party repository as an upstream that only pulls in whitelisted packages. Verify each update to the reprepro-based repository doesn't contain any issues you care about, modify the .deb files if so. You will need to check the install/upgrade/remove scripts in the .deb as well as any installed files for things like cron jobs, systemd units, init scripts and so on. Update your systems from the reprepro-based repository as per normal. -- bye, pabs https://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6eb4t4y54mbn2nazss_uvukx2zbw2ajpq_a7n9ha7w...@mail.gmail.com
