Signed changes upload replay attack vulnerability
Bug #159304 reported by
StefanPotyra
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Fix Released
|
High
|
Julian Edwards |
Bug Description
Hi,
we just discovered, that the packages page for PPAs (for example: <https:/
has a link to changes files, which displays them unmodified (i.e. still signed), see
<http://
Since the distribution in the packages on PPA matches an ubuntu release and all files the source package consists of can be downloaded as well, anyone can basically upload that package to the real archive, if there is a newer version in the PPA than in the archive.
Hence, I'm marking this as a security vulnerability.
Cheers,
Stefan.
Changed in launchpad: | |
assignee: | nobody → cprov |
status: | New → In Progress |
Changed in soyuz: | |
importance: | Undecided → Critical |
milestone: | none → 1.1.11 |
Changed in soyuz: | |
milestone: | 1.2.1 → 1.2.2 |
Changed in soyuz: | |
milestone: | 1.2.2 → 1.2.5 |
Changed in soyuz: | |
assignee: | cprov → nobody |
status: | In Progress → Triaged |
Changed in soyuz: | |
milestone: | 1.2.5 → none |
Changed in soyuz: | |
milestone: | none → 2.1.8 |
Changed in soyuz: | |
status: | Triaged → In Progress |
assignee: | nobody → julian-edwards |
visibility: | private → public |
To post a comment you must log in.
If Soyuz accepts the same signed build request twice sounds like a bug in and of itself (a replay attack vulnerability).
While that is the case, we definitely shouldn't be publishing links to the files.