From 1fa997b0fe25949207ac397dcbea660a7caaacad Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks@canonical.com>
Date: Tue, 16 Jul 2019 06:26:44 +0000
Subject: [PATCH][BIONIC] Use authenticated repositories and packages

BugLink: https://launchpad.net/bugs/1836041

Ensure that all of the additionally configured repositories and
installed packages needed to construct a kernel snap are authenticated
by apt.

The Makefile improperly used the --allow-insecure-repositories and
--allow-unauthenticated apt options when setting up the build chroot. An
attacker with control over the network between the build machine and the
Ubuntu archive or the snappy-dev/image PPA could use this to perform a
man-in-the-middle attack to install malicious packages in the build
chroot.

Such an attack is unlikely for the official Ubuntu kernel snap builds
since the Launchpad buildd infrastructure and the network communication
with the Ubuntu archive and Launchpad PPAs is tightly controlled.
However, end-users may use this Makefile to build their own kernel snaps
and have no guarantees about the communication with the archive or PPAs.

Store a copy of the snappy-dev/image PPA's public signing key alongside
the Makefile so that the public signing key can be added to apt as part
of the build process. Finally, remove all uses of
--allow-insecure-repositories and --allow-unauthenticated when invoking
apt commands.

CVE-2019-11480

Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
---
 Makefile             | 27 ++++++++++++++++++++-------
 snappy-dev-image.asc | 28 ++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 7 deletions(-)
 create mode 100644 snappy-dev-image.asc

diff --git a/Makefile b/Makefile
index 57689dd92190..db3b2afb1cdd 100644
--- a/Makefile
+++ b/Makefile
@@ -68,9 +68,24 @@ all:
 	debootstrap --variant=minbase $(RELEASE) chroot
 	cp /etc/apt/sources.list chroot/etc/apt/sources.list
 	# install all updates
-	$(ENV) chroot chroot apt-get -y --allow-insecure-repositories update
-	$(ENV) chroot chroot apt-get -y --allow-unauthenticated upgrade
+	$(ENV) chroot chroot apt-get -y update
+	$(ENV) chroot chroot apt-get -y upgrade
+
+	mount --bind /proc chroot/proc
+	mount --bind /sys chroot/sys
+
+	# Enable ppa:snappy-dev/image inside of the chroot and add the PPA's
+	# public signing key to apt:
+	# - gnugpg is required by apt-key
+	# - gnugpg 2.x requires gpg-agent to be running
+	# - procfs must be bind-mounted for gpg-agent
+	# - running apt-key as a child process of gpg-agent --daemon stops the
+	#   agent shortly after apt-key executes
+	$(ENV) chroot chroot apt-get -y install gnupg
+	mkdir --mode=0600 chroot/tmp/gnupg-home
+	cat snappy-dev-image.asc | $(ENV) chroot chroot gpg-agent --homedir /tmp/gnupg-home --daemon apt-key add -
 	echo "deb http://ppa.launchpad.net/snappy-dev/image/ubuntu $(RELEASE) main" >> chroot/etc/apt/sources.list
+
 	if [ "$(PROPOSED)" = "true" ]; then \
 	  echo "deb http://$(MIRROR) $(RELEASE)-proposed main restricted" >> chroot/etc/apt/sources.list; \
 	  echo "deb http://$(MIRROR) $(RELEASE)-proposed universe" >> chroot/etc/apt/sources.list; \
@@ -85,11 +100,9 @@ all:
 	  echo "usbhid" >> chroot/etc/initramfs-tools/modules; \
 	  echo "hid-generic" >> chroot/etc/initramfs-tools/modules; \
 	fi
-	$(ENV) chroot chroot apt-get -y --allow-insecure-repositories update;\
-	$(ENV) chroot chroot apt-get -y --allow-unauthenticated install initramfs-tools-ubuntu-core linux-firmware xz-utils
-	mount --bind /proc chroot/proc
-	mount --bind /sys chroot/sys
-	$(ENV) chroot chroot apt-get -y --allow-unauthenticated install $(KERNELDEB) $(PKGS)
+	$(ENV) chroot chroot apt-get -y update;\
+	$(ENV) chroot chroot apt-get -y install initramfs-tools-ubuntu-core linux-firmware xz-utils
+	$(ENV) chroot chroot apt-get -y install $(KERNELDEB) $(PKGS)
 	umount chroot/sys
 	umount chroot/proc
 
diff --git a/snappy-dev-image.asc b/snappy-dev-image.asc
new file mode 100644
index 000000000000..e246cf933e99
--- /dev/null
+++ b/snappy-dev-image.asc
@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: SKS 1.1.6
+Comment: Hostname: keyserver.ubuntu.com
+
+mQINBFRt70cBEADH/8JgKzFnwQQqtllZ3nqxYQ1cZguLCbyu9s1AwRDNu0P2oWORUN9YoUS1
+5kuWtTuneVlLbdbda3N/S/HApvOWu7Q1oIrRRkpO4Jv4xN+1KaSpaTy1vG+HepH1D0tCSV0d
+mbX0S07yd0Ml7o4gMx2svBXeX41RHzjwCNkMUQJGuMF/w0hC/Wqz6Sbki6QcqQx+YAjwVyUU
+1KdDRlm9efelQOskDwdr1j9Vk6ky8q+p29dEX5q2FApKnwJb7YPwgRDMT/kCMJzHpLxW9Zj0
+OLkY4epADRi+eNiMblJsWRULs5l7T5ojyEaXFrGHzOi2HaxidUTUUro2Mb0qZUXRYoEnZV0n
+tmFxUPIS75sFapJdRbLF0mqyaMFe9PtmKyFOJXC/MfMaqhMxChWRZm0f8d12zDcVe5LTnVgZ
+aeYr+vPnhqRaDI7wWZBtCdeMGd4BLa1b3fwY0id2Ti6egFbJzVu2v4GGojBTRkZmlw+Srdzm
+3w9FA/ojmAQV/R7snK6bc2o9gtIvPGlZceUTSOtySwlOBCd50YpL2K4GdT1GlEm/DAPSPAWP
+Zn9gtZOe8XLxyWd2Qca/NTU0sYeG5xdQGes7pdHz9Mqb0vN14ojE8VdqS8qZx74vqhnN3+xJ
+7BDNOjAjjhOAcn1mulX4N9u/WlUw7O67Ht5V/8ODwVTh2L3lLQARAQABtCNMYXVuY2hwYWQg
+UFBBIGZvciBTbmFwcHkgRGV2ZWxvcGVyc4kCOAQTAQIAIgUCVG3vRwIbAwYLCQgHAwIGFQgC
+CQoLBBYCAwECHgECF4AACgkQ8YMd2vxC6Z2y1RAAw7jFWZomYHUkUmm0FNEeRko6kv5iDNGq
+QXpp0JaZz06kC3dW7vjE3kNgwmgMdcA+/a+Jgf3ii8AHyplUQXuopHAXvZyz6YS6r17B2TuK
+t47MtMkWSk56UZ6av0VnE1Msyf6FeBEtQwojLW7ZHNZPq0BlwcvK3/H+qNHitDaIdCmCDDu9
+mwuerd0ZoNwbW0A1RPPl+Jw3uJ+tZWBAkJV+5dGzT/FJlCL28NjywktGjduhGE2nM5Q/Kd0S
++kovwf9qwmPMF8BLwUwshZoHKjLmalu08DzoyO6Bfcl6SThlO1iHoSayFnP6hJZeWkTaF/L+
+Uzbbfnjz+fWAutUoZSxHsK50VfykqgUiG9t7Kv4q5B/3s7X42O4270yEc4OSZM+YIj3EOKWC
+gHkR3YH9/wk3w1jPiVKjO+jfZnX7FV77vVxbsR/+ibzEPEo51nWcp64qbBf+bSSGotGv5ef6
+ETWw4k0cOF9Dws/zmLs9g9CYpuv5DG5d/pvSUKVmqcb2iEc2bymJDuKD3kE9MNCqdtnCbwVU
+pyRauzKhjzY8vmYlFzhlJB5WU0tR6VMMQZNcmXst1T/RVTcIlXZUYfgbUwvPX6SOLERX1do9
+vtbD+XvWAYQ/J7G4knHRtf5RpiW1xQkpFSbrQ9ACQFlqN49Ogbl47J6TZ7BrjDpROote55ix
+mrU=
+=Oltp
+-----END PGP PUBLIC KEY BLOCK-----
-- 
2.7.4