Launchpad itself

source.changes in PPA could lead to main archive uploads

Bug #177113 reported by Luca Falavigna
252
Affects Status Importance Assigned to Milestone
Launchpad itself
New
Undecided
Unassigned

Bug Description

source.changes file in PPA are signed using a valid GPG key. While this is not an issue for non-developers, this could lead to unwanted uploads in the main Ubuntu archive when a member of ubuntu-dev or ubuntu-core-dev publishes a package in his PPA.

In the past, source.changes files were visible by everyone in PPA main page by clicking on "(changes)" link. Recently, that link has been removed, but source.changes file are still available and can be downloaded easily.

A practical example:
ubuntu-toolchain PPA: https://launchpad.net/~ubuntu-toolchain/+archive
Take, for instance, gcc-defaults. Its .dsc file is available by clicking on the little triangle icon, its URL is http://launchpadlibrarian.net/10707180/gcc-defaults_1.65ubuntu2.dsc.
If we want to get its associated source_changes, replace .dsc with _source.changes and subtract 2 to 10707180.
We have http://launchpadlibrarian.net/10707178/gcc-defaults_1.65ubuntu2_source.changes, which is a valid, signed by core-dev source.changes file.

This mechanism is valid for every package published in PPA, so there is a potential risk to harm main Ubuntu archive with broken packages.

Tags: lp-soyuz
William Grant (wgrant)
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.