Package: apt
Version: 0.5.28.6
Severity: serious
Tags: security
Justification: User can think he's installing Debian software when he's not
When multiple sources are used with APT that are hosted on the same host
with the same protocol, and also share combinations of release and
archive (e.g. etch/main), apt-cache policy shows their packages in a
identical form. That has lead me to think that mplayer and transcode had
been accepted in Debian and install a non-official package of ffmpeg,
because I had Christian Marillat's source in my sources.list.
Thus, any source on a server of an official Debian source that contain
packages without security fixes or with additional security holes, whose
version is higher than Debian official packages will lead the user to an
unprotected situation, even if he is cautious of what packages he
installs, in terms of security.
Versions of packages apt depends on:
ii libc6 2.3.5-6 GNU C Library: Shared librarie=
s an
ii libgcc1 1:4.0.1-2 GCC support library
ii libstdc++5 1:3.3.6-7 The GNU Standard C++ Library v3
apt recommends no packages.
-- no debconf information
--=20
<email address hidden>
OpenPGP 0xD9D50D8A
--1kVeyRzorzGcO9ta
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
Message-ID: <email address hidden>
Date: Fri, 23 Sep 2005 16:23:58 +0200
From: Pierre THIERRY <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apt-cache doesn't differentiate sources that share protocol, host, release and archive name
--1kVeyRzorzGcO9ta Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
Package: apt
Version: 0.5.28.6
Severity: serious
Tags: security
Justification: User can think he's installing Debian software when he's not
When multiple sources are used with APT that are hosted on the same host
with the same protocol, and also share combinations of release and
archive (e.g. etch/main), apt-cache policy shows their packages in a
identical form. That has lead me to think that mplayer and transcode had
been accepted in Debian and install a non-official package of ffmpeg,
because I had Christian Marillat's source in my sources.list.
Thus, any source on a server of an official Debian source that contain
packages without security fixes or with additional security holes, whose
version is higher than Debian official packages will lead the user to an
unprotected situation, even if he is cautious of what packages he
installs, in terms of security.
pierre@bateleur:~$ apt-cache policy mplayer-k6 1.0-pre7cvs2005 0716-0. 1 0 nerim.net sid/main Packages nerim.net sarge/main Packages nerim.net etch/main Packages dpkg/status
mplayer-k6:
Install=E9=A0: (aucun)
Candidat=A0: 1:1.0-pre7-0.0
Table de version=A0:
1:
500 ftp://ftp.
1:1.0-pre7-0.0 0
500 ftp://ftp.
990 ftp://ftp.
100 /var/lib/
pierre@bateleur:~$ apt-cache policy ffmpeg nerim.net sid/main Packages 20050427- 0sarge0. 1 0 nerim.net sarge/main Packages nerim.net sid/main Packages dpkg/status cvs20050313- 2 0 nerim.net sarge/main Packages nerim.net etch/main Packages
ffmpeg:
Install=E9=A0: 0.cvs20050918-4
Candidat=A0: 3:20050806-0.2
Table de version=A0:
3:20050806-0.2 0
500 ftp://ftp.
3:
500 ftp://ftp.
*** 0.cvs20050918-4 0
500 ftp://ftp.
100 /var/lib/
0.
500 ftp://ftp.
990 ftp://ftp.
-- Package-specific info:
-- apt-config dump --
APT ""; Essential ""; Essential: : "build-essential"; Release "testing"; :userstatus "status.user"; dpkg/status" ; :archives "archives/"; :srcpkgcache "srcpkgcache.bin"; :pkgcache "pkgcache.bin"; :sourcelist "sources.list"; :vendorlist "vendors.list"; :vendorparts "vendors.list.d"; :preferences "preferences"; apt/methods" ; Install- Pkgs ""; Install- Pkgs:: "if dpkg -s apt-listbugs | grep -q '^Status: .* ok= apt-listbugs apt || ( test $? -ne 10 || exit 10= Install- Pkgs:: "/usr/sbin/ dpkg-preconfigu re --apt || true"; apt/archives; fi"; update- dpsyco || true"; zope.restart && invoke-rc.d zope rest= zope.restart" ;
APT::Architecture "i386";
APT::Build-
APT::Build-
APT::Default-
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State:
Dir::State::status "/var/lib/
Dir::Cache "var/cache/apt/";
Dir::Cache:
Dir::Cache:
Dir::Cache:
Dir::Etc "etc/apt/";
Dir::Etc:
Dir::Etc:
Dir::Etc:
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc:
Dir::Bin "";
Dir::Bin::methods "/usr/lib/
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-
DPkg::Pre-
installed'; then /usr/sbin/
; echo 'Warning: apt-listbugs exited abnormally, hit enter key to continue.=
' 1>&2 ; read a < /dev/tty ); fi";
DPkg::Pre-
DPkg::Pre-Invoke "";
DPkg::Pre-Invoke:: "mount -o remount,rw /usr";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "mount -o remount,ro /usr";
DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --ge=
nerate=3Dnocheck -sp /var/cache/
DPkg::Post-Invoke:: "/usr/sbin/
DPkg::Post-Invoke:: "test -f /var/run/
art ; rm -f /var/run/
-- (no /etc/apt/ preferences present) --
-- /etc/apt/ sources. list --
deb file:/var/ cache/apt- build/repositor y apt-build main
deb ftp://ftp. nerim.net/ debian/ sarge main contrib nerim.net/ debian/ sarge main contrib
deb-src ftp://ftp.
deb ftp://ftp. nerim.net/ debian/ etch main contrib nerim.net/ debian/ etch main contrib
deb-src ftp://ftp.
deb ftp://ftp. nerim.net/ debian/ sid main contrib nerim.net/ debian/ sid main contrib
deb-src ftp://ftp.
#deb ftp://ftp. nerim.net/ debian/ ../project/ experimental main nerim.net/ debian/ ../project/ experimental main
#deb-src ftp://ftp.
deb http:// security. debian. org/ stable/updates main security. debian. org/ testing/updates main
deb http://
deb ftp://ftp. nerim.net/ debian- marillat/ sarge main nerim.net/ debian- marillat/ etch main nerim.net/ debian- marillat/ sid main
deb ftp://ftp.
deb ftp://ftp.
-- System Information: 3Dfr_FR@ euro (charmap= 3DISO-8859- 15)
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-k7
Locale: LANG=3Dfr_FR@euro, LC_CTYPE=
Versions of packages apt depends on:
ii libc6 2.3.5-6 GNU C Library: Shared librarie=
s an
ii libgcc1 1:4.0.1-2 GCC support library
ii libstdc++5 1:3.3.6-7 The GNU Standard C++ Library v3
apt recommends no packages.
-- no debconf information
--=20
<email address hidden>
OpenPGP 0xD9D50D8A
--1kVeyRzorzGcO9ta pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
+xe13INnVDYoRAj 5HAKDoTI9yzGKQI /bH7hbV1plyqFSE HACbB/gR QwC5r5Ss=
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDNA/
kgjosIOuVHjyuBQ
=zHvy
-----END PGP SIGNATURE-----
--1kVeyRzorzGcO 9ta--