Please don't exposed signed changesfiles/dscs on the main archive
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Steve Kowalik |
Bug Description
Greetings,
Previously (according to bigjools), a security bug was fixed whereby signed changesfiles from PPAs were exposed, meaning that a malicious user could upload to Ubuntu a package that was previously published in a PPA. However, the hole was not fixed the other way around. Uploads to the main Ubuntu archive still have signed changesfiles and dscs exposed. This is all that is needed for soyuz to accept the upload, meaning that I was just able to download a package (from the REJECTED queue, if that matters) and push it to the uploader's PPA.
This is obviously not as serious as the issue that has been fixed previously. I can imagine a scenario where a user forces a specific (earlier) release in their upload target in order to upload a package from release n+x to release n, causing the users of the PPA to get a package which may break things on their system. Or maybe if there happened to be a serious security flaw in a later release I could cause all users of a PPA to download a vulnerable version.
Regards,
Iain
Related branches
- Abel Deuring (community): Approve (code)
- William Grant: Pending requested
-
Diff: 212 lines (+75/-40)5 files modifiedlib/lp/archiveuploader/tests/test_ppauploadprocessor.py (+3/-20)
lib/lp/archiveuploader/tests/test_uploadprocessor.py (+50/-1)
lib/lp/registry/model/distroseries.py (+9/-10)
lib/lp/soyuz/model/publishing.py (+2/-2)
lib/lp/soyuz/model/queue.py (+11/-7)
tags: | added: ppa soyuz-upload |
Changed in soyuz: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → pending |
assignee: | nobody → Steve Kowalik (stevenk) |
Changed in soyuz: | |
status: | Fix Committed → Fix Released |
visibility: | private → public |
It looks like it might only be the queues where this is exposed - changesfiles from normal (+source) page have signatures stripped.