Ansgar Burchardt
2010-Apr-24 15:01 UTC
[Secure-testing-team] Bug#579028: pbuilder: installs untrusted packages without asking
Package: pbuilder Version: 0.196 Severity: grave Tags: security Justification: user security hole Hi, pbuilder will by default install packages from untrusted sources. This means the system can be compromised by a man in the middle providing malicious packages. There also seems no way to get pbuilder to stop doing so. pbuilder should (in the default configuration) not install packages that are not trusted, only when the user explicitly requests this explicitly. Also when creating the chroot with debootstrap, the --keyring option should be used so that debootstrap will check for a valid signature. Regards, Ansgar -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (900, ''testing''), (500, ''unstable''), (1, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash