Do Debian APT and PHP Pear Patches Highlight Vulnerability In Package Management Infrastructure?

"Time and again, security experts and vendors alike will recommend to organizations and end users to keep software and systems updated with the latest patches," reports eWeek. "But what happens when the application infrastructure that is supposed to deliver those patches itself is at risk?" That's what open-source and Linux users were faced with this past week with a pair of projects reporting vulnerabilities. On January 22, the Debian Linux distribution reported a vulnerability in its APT package manager that is used by end users and organizations to get application updates. That disclosure was followed a day later, on January 23, with the PHP PEAR (PHP Extension and Application Repository) shutting down its primary website, warning that it was the victim of a data breach. PHP PEAR is a package manager that is included with many Linux distributions as part of the open-source PHP programming language binaries....

In the Debian APT case, a security researcher found a flaw, reported it, and the open-source project community responded rapidly, fixing the issue. With PHP PEAR issue, researchers with the Paranoids FIRE (Forensics, Incident Response and Engineering) Team reported that they discovered a tainted file on the primary PEAR website... Both PHP PEAR and Debian have issued updates fixing their respective issues. While both projects are undoubtably redoubling their efforts now with different security technologies and techniques, the simple fact is that the two issues highlight a risk with users trusting updating tools and package management systems.

Re: Don't be a PHP monkey.

That's all you gained from reading this? Did you not even see that the Debian repo was tainted as well? Which has notning to do with PHP.

You all or nothings are serious idiots that are ruining the world for the rest of us.

Re: Don't be a PHP monkey.

the debian tools are written in python so suck on that

Re: Don't be a PHP monkey.

Vulnerabilities in software highlight the possibility of vulnerabilities in software. When that software is part of infrastructure, they highlight vulnerabilities in ... Infrastructure.

This article could have been summed up in two sentences with links to the incident reports.

Microsoft also had vulnerabilities in it's update infrastructure before, and those highlighted the same thing.

Re:Don't be a PHP monkey.

[Tablizer]

Prove Python is more secure. Anyhow PEAR is a library, not a language.

Re: Don't be a PHP monkey.

More insecure code? Developers caught napping? Just wait til your dad gets home you worthless bitches

Re:Don't be a PHP monkey.

The point is larger than PEAR by itself obviously but I accept your pedantic correction. I wasn't talking about PEAR, I said PHP. I don't have to prove Python more secure, the numbers alone do that.

Prove me wrong if you can find some that contradict me.

Do Debian APT and PHP Pear Patches Highlight Vulne

No.

They highlight that engineers have come up with a decent solution for rapidly distributing the inevitable security updates that will occur.

So, that's why...

My aptget malware command suddenly stopped working.

Re: Don't be a PHP monkey.

Exactly. What a vapid article. Not to mention PEAR is ancient PHP tech at this point.

Re: Don't be a PHP monkey.

You are thinking of Fedora and DNF.

Apt vulnerability

[ISayWeOnlyToBePolite]

Max Justicz original blog post with example exploit https://justi.cz/security/2019...

Same problem as certificate authorities.

Your HTTPS connections are only as trustworthy as your CA, divided by your browser vendor, divided by your OS vendor divided by your OS source divided by your hardware maker and your hardware source, and finally by the security of your own home.

In the end, who watches the watchmen, must always be YOU. No way around it.
And you need to be competent enough to tell if you are competent too. And do all the above too!

Everything else is just trust, justified or blind. But not certainty.

Re:Don't be a PHP monkey.

Python has package managers as well - PIP, Anaconda, etc. Same with Node JS and its package manager NPM.

Both Python and Node JS had vulnerabilities with their package managers in the past.

This is not a language issue. This is the ol' easy vs. secure issue. The easier you make something, the more prone to security issues it is.

Re:Don't be a PHP monkey.

Python by sheer number of users without significant issue is proof alone.
PHP with its sheer number of users and WITH significant issue is just gravy on top.
PHP is a horrific language. Most people that use it don't know how to secure it. Fuck, the developers themselves didn't know how to and they build the fucking thing! The core developers are somehow worse than the users! Some of them, for years, didn't even know how their own === comparison worked vs the == comparison. One of them didn't even see the point! LOL I sure hope they aren't still contributing.

Nobody should use it. No, not even current versions. It's still broken. It has a long way to go to become even slightly secure enough for regular use.
Every single time I hear about network tech exploits, I am not even remotely surprised PHP was at fault somewhere. I'm almost expecting it. I get surprised when it is other languages.
I can't even count the Wordpress hacks that have happened in recent years. Holy Hanna Barbara Batman!
Running PHP is like running WinXP on the internet. It could be done, just requires considerable thought put in to it so you don't get 20 worms on your shit. That is way more than most developers can give. (see Wordpress, again.)

Software pipeline security

[MSG]

> Do Debian APT and PHP Pear Patches Highlight Vulnerability In Package Management Infrastructure?

Yes.

The security of the software delivery pipeline is something that Red Hat stresses, and is one of my top reasons for using their platforms. Universally signed packages is a significant security improvement over other systems.

You should definitely be concerned about the security of unsigned code, regardless of whether you get it through docker, pip, pear, gem, or other means where signatures are not present and verified by default.

Re:Software pipeline security

[Junta]

Note that apt for both debian and ubuntu are all signed packages by default as well.

Here the vulnerability is that the HTTP reply can just claim a hash and cause apt to assume the given hash is correct without calculating it itself. A huge mistake that defeats the package signiing but a mistake that may be patched.

You are right with pip, pear, gem, npm, and cpan, most of the language specific repositories are security nightmares (not just general lack of signing, but the 'anyone can publish' model means that even if signed, you generally don't have much of a chance to manage your trust relationships anyway).

Basically the major linux distros take package signing seriously but the scripting languages don't and can not.

Re:Software pipeline security

No, at least in the case of APT. To quote the summary:

In the Debian APT case, a security researcher found a flaw, reported it, and the open-source project community responded rapidly, fixing the issue.

This is how things are supposed to work. If you do not add foreign repositories, then there is no malware issue. GDEBI on the other hand...

Re:Software pipeline security

[Junta]

I will say my one-line summary was incorrect, it's a bit trickier, but the end result is executing the normal install process of an untrusted, unsigned .deb file. The protections are there, but defeated by the mistake.

Scripting language package management is however accurate, not much in the way of signing and further not particularly reviewed packages.

Re:Software pipeline security

[MSG]

> Note that apt for both debian and ubuntu are all signed packages by default as well.

If you have a reference for that, I'd be really interested. Most of what I've read indicates that Debian and Ubuntu packages themselves are not signed, only checksummed (which is why this vulnerability exists to begin with). Only the package metadata is signed.

https://wiki.debian.org/Secure...

Re:Software pipeline security

[MSG]

> If you do not add foreign repositories, then there is no malware issue

I don't see anything in the research that indicates that this only affected "foreign" repositories. This appears to affect all repositories, because debian packages aren't signed, directly. They're checksummed, and the checksum list is signed. All well and good, but when the redirect was able to inject a header indicating a checksum of the attacker's choosing, that measure was defeated.

Re:Software pipeline security

[Junta]

When working properly, as far as I understand it, the checksums of all the packages are signed in the repo. Correct that rpm can carry a signature directly, though in practice you won't use dpkg directly just like using rpm directly is unusual.

Yes rpm direct can verify signatures and dpkg direct cannot, but apt can verify signature of the file that has all the cryptographic checksums.

This vulnerability is a way to trick apt into operating on a payload as a deb that shouldn't have been a deb. Sure, if debs had signatures it would have been an additional layer of protection to require both apt and deb protections to break, so too would https as a default pretty much made this not exploitable, but at least when things work as designed, you do have key based validation of the package integrity so long as you don't manually download and dpkg things.

Note that if you download and manually install an rpm file without a signature, redhat (at least by default) lets you do that without warning or error, yum is the only method that will tend to be strict on the signatures, so when both are working as designed they have very similar behaviors.

Re:Software pipeline security

[MSG]

> though in practice you won't use dpkg directly just like using rpm directly is unusual.

That's true, but I'm not sure what point you're making. yum (or its replacement dpkg) validates the packages it downloads using a cryptographic signature, which makes it a more secure system than apt.

I'm not comparing rpm with apt or dpkg. I'm comparing yum with other package management systems.

> Yes rpm direct can verify signatures and dpkg direct cannot, but apt can verify signature of the file that has all the cryptographic checksums.

As far as I know, dpkg can verify signatures. The problem is that Debian and Ubuntu don't bother to sign their packages.

Checksums aren't secure. All an attacker has to accomplish is to generate a file with some garbage data in order to match the checksum. In other words, they only need to find a hash collision.

> This vulnerability is a way to trick apt into operating on a payload as a deb that shouldn't have been a deb.

No, it was a way to provide a package that didn't match the checksum, with the addition of a header that said that it did.

> so too would https as a default pretty much made this not exploitable

https would prevent against a man-in-the-middle, but it's still vulnerable to an attacker who gains control of the mirror you're using. A malicious mirror could have used this vulnerability or a hash-collision to push malicious packages.

yum is secure against those attacks.

Re:Software pipeline security

As far as I know, dpkg can verify signatures. The problem is that Debian and Ubuntu don't bother to sign their packages.

That's absurd. Of course Debian and Ubuntu sign their packages. That's basic package management security. That's why whenever you add a PPA in Ubuntu, you have to explicitly trust the signing keys for it. apt really doesn't like installing unsigned packages.

Re:Software pipeline security

[MSG]

> Of course Debian and Ubuntu sign their packages

https://blog.packagecloud.io/e...

I downloaded several packages at random and extracted them with "ar". There was no "_gpgorigin" file in any of them, indicating (as far as I can tell) that the *packages* aren't signed.

The package metadata is signed, but in that case the Release file contains an md5sum for the Packages file, which contains several checksums for the packages. That chain is only as secure as its weakest link. If you create a Packages file with modified hashes for your malicious package, then you appear to only need to find an MD5 hash collision to create a chain of Release -> Packages -> package file that will appear to be valid.

That's less secure than signing packages individually.

> That's basic package management security

Yes, I agree, which is what concerns me about Debian packages.

> whenever you add a PPA in Ubuntu, you have to explicitly trust the signing keys for it

The keys will be used to check the signature of the Release file, and packages if they're signed. Generally, however, they don't appear to be. The ones I sampled weren't, and I've read several times that they aren't. And, most importantly, the vulnerability described in this post wouldn't be possible if the pacakges were signed.

Re:Software pipeline security

[Junta]

Checksums aren't secure. All an attacker has to accomplish is to generate a file with some garbage data in order to match the checksum. In other words, they only need to find a hash collision.

Signatures are just checksums that have been signed. If you could find a sha256 collision (good luck) then signing packages would also be useless. Releases contain the cryptogrophically solid checksums of packages and then it in turn is signed, establishing a chain to valiate.

No, it was a way to provide a package that didn't match the checksum, with the addition of a header that said that it did.

I thought that at first as well, but upon deeper exploration, his trick in practice was to sneak a .dpkg file into the contents of a pem file and induce apt to process that pem file as a dpkg...

yum is secure against those attacks.

And with a fix, apt is also secure against those attacks. Granted having multiple layers is better, but the design does provide a full path from gpg key to the individual packages.

As per usual, No.

It highlights that there is a highly effective system for distributing patches and security updates.

Also one might amuse oneself by raising the question that the submitter seems to want to imply, that package managers should be considered some kind of vulnerability. As if NOT having a package management system would somehow improve the situation, because we all know how secure and up to date the average Windows system and its various installed applications usually are... LOL.

Are only morons and retards submitting stuff these days?

Re:As per usual, No.

[bankman]

Are only morons and retards submitting stuff these days?

As per usual, the answer is "yes". Slashdot has been useless for quite some time now.

Coding standards exist

[tepples]

PHP is a horrific language. Most people that use it

...haven't read JavaScript: The Good Parts. PHP and JavaScript have a surprising number of pitfalls in common, such as difficult-to-memorize rules for == comparison. True, there are problems with PHP that are very annoying to work around, as Eevee pointed out in her famous essay. But as with JavaScript, there are also a few common-sense coding standards that make the worst problems less likely.

Nobody should use it. No, not even current versions. It's still broken.

Do you block Wikimedia sites and other sites using MediaWiki software?

Re: Coding standards exist

Ah that stupid fucking essay that's 9 years old and not relevant to today's PHP 7.

I think people just like to stick their fingers in their ears and sing like a child whenever someone brings up the fact that even point releases on PHP are considered major enhancements (ie. PHP 7.0, 7.1, 7.2, and soon 7.3).

Every point release makes drastic changes as we phase out the old garbage of PHP5. And introduce more modern libraries (like libsodium) and depreciate and remove others (looking at you mcrypt).

Re:Coding standards exist

[Hognoxious]

...haven't read JavaScript: The Good Parts.

I have. Both pages, in fact.

Re:Coding standards exist

[tepples]

Then you must have a different edition, as my copy is ISBN 9780596517748 with 160-some pages. Did yours have a quick reference card?

Re:Don't be a PHP monkey.

[Junta]

Note in the context of this particular thread, the question would be whether pypi is secure, and the answer is not really.

In fact, one could describe the apt vulnerability as degrading apt security to pypi/pear/gem/npm security on their *best* day.

The APT v. Pear vulnerabilities are interesting...

[Junta]

After 'fixing' the PEAR problem to no longer have a vulnerability, PEAR's security becomes as strong as APT while afflicted by this cited vulnerability.

APT's vulnerability was to bypass the signature checking, while PEAR doesn't even have it in the first place.

Balance the benefits vs risks

[Parker+Lewis]

Do Debian APT and PHP Pear Patches Highlight Vulnerability In Package Management Infrastructure?

It's a matter of benefits vs risks: keep standalone installer relying on the user to update all softwares individually or use open source package managers, that while can contain security issues (being inspected by experts and fixed few hours later), can keep all the softwares updated including security updates. Well, at least this is valid for APT, no sure for Pear as PHP has experimented with several different package managers during the years.

Anyway, NIH is the modus operandi in PHP: never contribute or improve any existing library, always create a different one from the ground.

at some point, you have trust someone else

[Nikademus]

As said, at some point, you have trust someone else. The other way is: code your OS and all its features yourself.

Re:Don't be a PHP monkey.

I'm sorry that PHP was too hard for you to learn in order to discuss it intelligently.

You can write insecure, shitty code in any language. Python, PHP, Java, perl, etc. they can all be used to write dreadfully bad code.

25 years of trust

[bigtreeman]

So in 25 years has the Debian repository ever been compromised using this vulnerability in the apt system, that has been promptly patched ?
Motto of the story, I trust Debian

Re:25 years of trust

There is not evidence that this has been widely exploited and you won't find any information about it being used for targeted attacks. You should continue to trust Debian.

Re:25 years of trust

This isn't about compromising the repository.

This is about Mr. MIMT doing:

"Hi! The .deb file you are downloading from xyz malicious redirect has a calculated hash of ce2dc5ea4f76... and is signed by that GPG key you already trust"

and the forked process that apt spawns to do the transfer going:
"Ah, everything is kosher. The hash is ce2dc5ea4f76... and is signed by that GPG key I already trust"

It's shitty string processing.

Re:Don't be a PHP monkey.

[Tablizer]

the numbers alone do that.

Bring 'em on.

Re:The APT v. Pear vulnerabilities are interesting

No, the vulnerability in APT was a remote code execution vulnerability as whatever user executed apt-get upgrade, usually root.

Re:The APT v. Pear vulnerabilities are interesting

[Junta]

Yes, but the mechanism was through getting apt to install a deb that bypassed all the signing. The package contained malicious scripting that was executed in the configuration phase of the install.

The vulnerability was basically sneak a deb into the 'don't care' portion of a gpg file, trick apt into treating that gpg file as a deb to install, which then discards the 'don't care' part that is the gpg signature and does a normal install of the file that should have not made it through the signature validation. Normally that portion of the install didn't expect to have to worry about signature verification (it was supposed to be handled before then), so arbitrary deb gets to be installed with malicious payload put to disk and/or configuration payload that executes at apt execution time.

Deb/Ub packages and signing

Note that apt for both debian and ubuntu are all signed packages by default as well.

Well, there is signing, but in a roundabout way. You have .DEB files, which are listed (with checksums) in the "Release" file. It is the "Release" that is signed:

* https://wiki.debian.org/SecureApt#Signed_Release_files

There are no signatures contained with-in .DEB packages, and there are no signatures for individual .DEB files either.

Re: Don't be a PHP monkey.

How is Debian bad for society?