InRelease file splitter treats getline() errors as EOF

Note that we already have an unapproved APT release for xenial-proposed in the queue. It would be sort of nice if we could avoid a 1.2.15<something> security upload while 1.2.17 is in -proposed.

The fix might take a few weeks, and the bug is subject to a 90 days disclosure, starting today.

The bug was that the return value of getline() was checked for EOF - but getline() also returns on out-of-memory conditions which are thus treated as a end of file.

The attached patch should fix that, but further testing is warranted. If this fix is correct, I'd like to push for a co-ordinated update soon, possibly tomorrow.

AFAICT, this affects all release series except for precise, which does not have splitting, and has InRelease disabled completely.

Let's reduce the importance. The bug is likely not exploitable in zesty, yakkety and xenial, since all those releases have a size limit of 10 MB for release files.

I'll think a bit more about procedure during sleep. I plan to have the new upstream 1.4~beta2 ready to go tomorrow to fix this issue - zesty currently has 1.3.1 still, 1.4~beta2 is in -proposed already, not sure how that's supposed to be handled (I guess we want to do a 1.3.1 security fix upload for zesty and yakkety. Preferably I'd do a 1.3.2 release "upstream" with just that fix).

I did not have the chance to verify the bug at all yet because I don't really have old apt's lying around and increasing the limit also does not seem to expose it yet. Still, this seems to be a real
problem, so we should indeed fix it everywhere.

I'll let my laptop idle during the night, and will be back at around 9:00 CET for discussing things. Contact me in IRC /query if you can and want to discuss this.

Feel free to take your time on zesty if you want to get it in via e.g. 1.4~beta3 or 1.4.1 or whatever. It's nice to get fixes into devel quickly for those who run it but we don't promise security support for it the same way we do the released releases.

Also note that vivid and wily are EOL. Even though vivid's zombie lives on in Ubuntu touch and snappy core I think the headline feature of those platforms is image-based updates, not apt-based updates, so I suspect we can ignore even vivid.

Thanks

Updated patch attached. This one works differently by putting getline into its own helper function that reports the error, and then aborting after the loop if an error occured inside of it.

This makes it a bit safer.

And a fix for writing buffered files: Flush them before checking for errors.

Note that the Debian security team will give us a CVE for that. I'll also drop vivid and wily as per seth's comment.

I hope to have debdiffs for all affected releases within the next 7 hours.

Hi! When exactly is the CRD for this issue?

I'm confused by your "The fix might take a few weeks, and the bug is subject to a 90 days disclosure, starting today." statement.

Sorry about that Marc. There is no real coordination yet, apparently I'm moving a bit too fast for security teams to keep up :)

We received the bug report yesterday from Google with their usual 90 day disclosure deadline:
"This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public."

The fix was simpler than I thought as I misunderstood the initial suggestions (it was a list, I thought we needed to do all in it, but just one thing is enough...). My intention is to provide the fixes today for all affected Debian and Ubuntu releases, in the form of debdiffs in this bug for the Ubuntu ones, to enable some work.

That said, I have no idea how much coordination is needed from security folks, so I'm not sure when we will be able to publicly release it - You guys need to figure that out. I sort of feel offended by security bugs, so I'd really love to move fast on these :)

I'm not a fan of responsible disclosure. I consider it an irresponsible practice, but that's my personal opinion, and if people want to play the game of withholding fixes until everyone catches up, I'm willing to play along for a few days, but not very long.

We're going to need a couple of days for testing it before releasing.

Assuming we have the final patches, would a CRD of 2016-12-13 17:00:00 UTC work for everyone?

Especially because the fix is so tiny and can easily be applied to any affected apt version, and I only know three distributions shipping a self-built apt (Debian, Ubuntu, Tanglu), I'd like to get this rolled out in the next 34 hours basically (until Wed 23:59 CET). I'd be happy extending that to Thu 23:59 CET if that gets a few more distros on board that for whatever reasons ship a self-built apt. But I would not want to hold a fix for Debian and Ubuntu back for longer than that to give 1% or so the time to fix up things, as that would be irresponsible.

Release procedure:

For yakkety, the fix will be a new 1.3.2 "upstream" micro release containing just that fix, so I'll just provide a debdiff for that.

For xenial, there will be a new 1.2.18 upstream micro release, but as 1.2.17 is stuck in the queue for proposed, I can also provide a 1.2.15ubuntu0.1 (did I get that right?) debdiff for security. Once the security upload has been done, I'll replace 1.2.17 with 1.2.18 in the proposed queue.

For trusty, I will provide a debdiff for 1.0.1ubuntu2.16.

Really - 7 days is like crazy long. The fix is basically a simple matter of checking if errno is 0 and returning false in case it is. What do you want to do 7 days testing it?

The yakkety one is basically an upstream release (1.3.2), hence a bit more automated churn in there to update the version number by the build system.

I won't attach the one for 1.2.18 for xenial-proposed, as that's basically the same as 1.3.2, just against 1.2.17 - and we need to get 1.2.15 done first.

Might need some more work with pushing the error stack, so we really only return on errors that occured inside the function and not outside - which _might_ prevent other repositories from updating (or at least, it's a weird API).

Could you please clarify your last comment? Does that mean the proposed fix is incorrect?

It might introduce a regression on 1.1 and newer releases (everything but trusty), such that if one repository is attacked, all repositories would be blocked. Sorry, I thought you were CCed on that email, but it seems this was in another sub-thread without an Ubuntu CC.

David wrote we need something like this:

diff --git a/apt-pkg/contrib/gpgv.cc b/apt-pkg/contrib/gpgv.cc
index b49569ae6..f9fe6b546 100644
--- a/apt-pkg/contrib/gpgv.cc
+++ b/apt-pkg/contrib/gpgv.cc
@@ -315,6 +315,7 @@ bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile,

    char *buf = NULL;
    size_t buf_size = 0;
+ _error->PushToStack();
    while (GetLineErrno(&buf, &buf_size, in, InFile) != -1)
    {
       _strrstrip(buf);
@@ -386,9 +387,10 @@ bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile,
       ContentFile->Flush();

    // An error occured during reading - propagate it up
- if (_error->PendingError()) {
+ bool const hasErrored = _error->PendingError();
+ _error->MergeWithStack();
+ if (hasErrored)
       return false;
- }

    if (found_signature == true)
       return _error->Error("Signature in file %s wasn't closed", InFile.c_str());

I'll add that tomorrow morning, and then we can eye for a release next week, so you can get your proposed date if nobody disagrees :)

Hi Julian - I plan to publish the yakkety, xenial, and trusty apt security updates at 2016-12-13 17:00:00 UTC. Test results look good. Thanks for the debdiffs.

This bug was fixed in the package apt - 1.3.2ubuntu0.1

---------------
apt (1.3.2ubuntu0.1) yakkety-security; urgency=high

  * Hack around Ubuntu rejecting symlink copyright
  * SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252)
    Thanks to Jann Horn, Google Project Zero for reporting the issue
    (LP: #1647467)
  * gpgv: Flush the files before checking for errors

 -- Julian Andres Klode <email address hidden> Thu, 08 Dec 2016 15:22:30 +0100

This bug was fixed in the package apt - 1.2.15ubuntu0.2

---------------
apt (1.2.15ubuntu0.2) xenial-security; urgency=high

  * SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252)
    Thanks to Jann Horn, Google Project Zero for reporting the issue
    (LP: #1647467)
  * gpgv: Flush the files before checking for errors

 -- Julian Andres Klode <email address hidden> Thu, 08 Dec 2016 15:28:08 +0100

This bug was fixed in the package apt - 1.0.1ubuntu2.17

---------------
apt (1.0.1ubuntu2.17) trusty-security; urgency=high

  * SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252)
    Thanks to Jann Horn, Google Project Zero for reporting the issue
    (LP: #1647467)

 -- Julian Andres Klode <email address hidden> Thu, 08 Dec 2016 15:31:29 +0100

This bug was fixed in the package apt - 1.4~beta2

---------------
apt (1.4~beta2) unstable; urgency=high

  [ John R. Lenton ]
  * bash-completion: Only complete understood file paths for install
    (LP: #1645815)

  [ Julian Andres Klode ]
  * SECURITY UPDATE: gpgv: Check for errors when splitting files (CVE-2016-1252)
    Thanks to Jann Horn, Google Project Zero for reporting the issue
    (LP: #1647467)
  * gpgv: Flush the files before checking for errors

 -- Julian Andres Klode <email address hidden> Thu, 08 Dec 2016 15:21:16 +0100

The verification of the Stable Release Update for apt has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

> It allows for attacking a repository via MITM attacks, circumventing the signature of the InRelease file.

> ("deb http://192.168.0.2:1337/debian/ jessie-updates main" or so). [..] This simulates a MITM attack or compromised mirror.

That sounds like it matters, where that InRelease file comes from, right? When I look into my /etc/apt/sources.list, I only see deb/dev-src http://<tld>.archive.ubuntu.com/... entries.

I think it would be much better, if Canonical servers would require TLS 1.x encryption (STS preferred) and thusly identify themselves with a proper cert, so machines/users can make sure (nation-state actors not taken into account) who they're talking to.

I think that would definitely make MITM and MOTS attacks more difficult. I'm aware of the signatures, i.e. present package security, though. Nonetheless, they do not seem to address the problem of transport security.