Launchpad itself

Please don't exposed signed changesfiles/dscs on the main archive

Bug #451396 reported by Iain Lane
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
High
Steve Kowalik
Launchpad itself 10.04

Bug Description

Greetings,

Previously (according to bigjools), a security bug was fixed whereby signed changesfiles from PPAs were exposed, meaning that a malicious user could upload to Ubuntu a package that was previously published in a PPA. However, the hole was not fixed the other way around. Uploads to the main Ubuntu archive still have signed changesfiles and dscs exposed. This is all that is needed for soyuz to accept the upload, meaning that I was just able to download a package (from the REJECTED queue, if that matters) and push it to the uploader's PPA.

This is obviously not as serious as the issue that has been fixed previously. I can imagine a scenario where a user forces a specific (earlier) release in their upload target in order to upload a package from release n+x to release n, causing the users of the PPA to get a package which may break things on their system. Or maybe if there happened to be a serious security flaw in a later release I could cause all users of a PPA to download a vulnerable version.

Regards,
Iain

Related branches

lp:~stevenk/launchpad/fixes-bug-451396
Abel Deuring (community): Approve (code)
William Grant: Pending requested
Diff: 212 lines (+75/-40)
5 files modified
lib/lp/archiveuploader/tests/test_ppauploadprocessor.py (+3/-20)
lib/lp/archiveuploader/tests/test_uploadprocessor.py (+50/-1)
lib/lp/registry/model/distroseries.py (+9/-10)
lib/lp/soyuz/model/publishing.py (+2/-2)
lib/lp/soyuz/model/queue.py (+11/-7)
Revision history for this message
Iain Lane (laney) wrote :

It looks like it might only be the queues where this is exposed - changesfiles from normal (+source) page have signatures stripped.

summary: - Please don't exposed signed changesfiles/dscs
+ Please don't exposed signed changesfiles/dscs on the main archive
Julian Edwards (julian-edwards)
tags: added: ppa soyuz-upload
Julian Edwards (julian-edwards)
Changed in soyuz:
status: New → Triaged
importance: Undecided → High
milestone: none → pending
assignee: nobody → Steve Kowalik (stevenk)
Revision history for this message
Ursula Junque (ursinha) wrote : Bug fixed by a commit

Fixed in stable r10766 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/10766>

Changed in soyuz:
milestone: pending → 10.04
status: Triaged → Fix Committed
tags: added: qa-needstesting
Revision history for this message
Steve Kowalik (stevenk) wrote :

I have QA'd this change on dogfood by processing multiple uploads to PPAs, as well two distro uploads, one with ancestry and one without -- along with moving the latter upload to rejected and back out. There was no errors found during the upload processing.

tags: added: qa-ok
removed: qa-needstesting
Steve Kowalik (stevenk)
Changed in soyuz:
status: Fix Committed → Fix Released
William Grant (wgrant)
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.