Please don't exposed signed changesfiles/dscs on the main archive

Bug #451396 reported by Iain Lane on 2009-10-14
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
High
Steve Kowalik

Bug Description

Greetings,

Previously (according to bigjools), a security bug was fixed whereby signed changesfiles from PPAs were exposed, meaning that a malicious user could upload to Ubuntu a package that was previously published in a PPA. However, the hole was not fixed the other way around. Uploads to the main Ubuntu archive still have signed changesfiles and dscs exposed. This is all that is needed for soyuz to accept the upload, meaning that I was just able to download a package (from the REJECTED queue, if that matters) and push it to the uploader's PPA.

This is obviously not as serious as the issue that has been fixed previously. I can imagine a scenario where a user forces a specific (earlier) release in their upload target in order to upload a package from release n+x to release n, causing the users of the PPA to get a package which may break things on their system. Or maybe if there happened to be a serious security flaw in a later release I could cause all users of a PPA to download a vulnerable version.

Regards,
Iain

Related branches

Iain Lane (laney) wrote :

It looks like it might only be the queues where this is exposed - changesfiles from normal (+source) page have signatures stripped.

summary: - Please don't exposed signed changesfiles/dscs
+ Please don't exposed signed changesfiles/dscs on the main archive
tags: added: ppa soyuz-upload
Changed in soyuz:
status: New → Triaged
importance: Undecided → High
milestone: none → pending
assignee: nobody → Steve Kowalik (stevenk)
Changed in soyuz:
milestone: pending → 10.04
status: Triaged → Fix Committed
tags: added: qa-needstesting
Steve Kowalik (stevenk) wrote :

I have QA'd this change on dogfood by processing multiple uploads to PPAs, as well two distro uploads, one with ancestry and one without -- along with moving the latter upload to rejected and back out. There was no errors found during the upload processing.

tags: added: qa-ok
removed: qa-needstesting
Steve Kowalik (stevenk) on 2010-05-17
Changed in soyuz:
status: Fix Committed → Fix Released
William Grant (wgrant) on 2012-08-09
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers