Ubuntu
apt package

  1. Bug #22354
  2. Comment #1

Comment 1 for bug 22354

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 23 Sep 2005 16:23:58 +0200
From: Pierre THIERRY <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: apt-cache doesn't differentiate sources that share protocol, host, release and archive name

--1kVeyRzorzGcO9ta
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: apt
Version: 0.5.28.6
Severity: serious
Tags: security
Justification: User can think he's installing Debian software when he's not

When multiple sources are used with APT that are hosted on the same host
with the same protocol, and also share combinations of release and
archive (e.g. etch/main), apt-cache policy shows their packages in a
identical form. That has lead me to think that mplayer and transcode had
been accepted in Debian and install a non-official package of ffmpeg,
because I had Christian Marillat's source in my sources.list.

Thus, any source on a server of an official Debian source that contain
packages without security fixes or with additional security holes, whose
version is higher than Debian official packages will lead the user to an
unprotected situation, even if he is cautious of what packages he
installs, in terms of security.

pierre@bateleur:~$ apt-cache policy mplayer-k6
mplayer-k6:
  Install=E9=A0: (aucun)
  Candidat=A0: 1:1.0-pre7-0.0
 Table de version=A0:
     1:1.0-pre7cvs20050716-0.1 0
        500 ftp://ftp.nerim.net sid/main Packages
     1:1.0-pre7-0.0 0
        500 ftp://ftp.nerim.net sarge/main Packages
        990 ftp://ftp.nerim.net etch/main Packages
        100 /var/lib/dpkg/status

pierre@bateleur:~$ apt-cache policy ffmpeg
ffmpeg:
  Install=E9=A0: 0.cvs20050918-4
  Candidat=A0: 3:20050806-0.2
 Table de version=A0:
     3:20050806-0.2 0
        500 ftp://ftp.nerim.net sid/main Packages
     3:20050427-0sarge0.1 0
        500 ftp://ftp.nerim.net sarge/main Packages
 *** 0.cvs20050918-4 0
        500 ftp://ftp.nerim.net sid/main Packages
        100 /var/lib/dpkg/status
     0.cvs20050313-2 0
        500 ftp://ftp.nerim.net sarge/main Packages
        990 ftp://ftp.nerim.net etch/main Packages

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Default-Release "testing";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::userstatus "status.user";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "if dpkg -s apt-listbugs | grep -q '^Status: .* ok=
 installed'; then /usr/sbin/apt-listbugs apt || ( test $? -ne 10 || exit 10=
; echo 'Warning: apt-listbugs exited abnormally, hit enter key to continue.=
' 1>&2 ; read a < /dev/tty ); fi";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
DPkg::Pre-Invoke "";
DPkg::Pre-Invoke:: "mount -o remount,rw /usr";
DPkg::Post-Invoke "";
DPkg::Post-Invoke:: "mount -o remount,ro /usr";
DPkg::Post-Invoke:: "if [ -x /usr/bin/debsums ]; then /usr/bin/debsums --ge=
nerate=3Dnocheck -sp /var/cache/apt/archives; fi";
DPkg::Post-Invoke:: "/usr/sbin/update-dpsyco || true";
DPkg::Post-Invoke:: "test -f /var/run/zope.restart && invoke-rc.d zope rest=
art ; rm -f /var/run/zope.restart";

-- (no /etc/apt/preferences present) --

-- /etc/apt/sources.list --

deb file:/var/cache/apt-build/repository apt-build main

deb ftp://ftp.nerim.net/debian/ sarge main contrib
deb-src ftp://ftp.nerim.net/debian/ sarge main contrib

deb ftp://ftp.nerim.net/debian/ etch main contrib
deb-src ftp://ftp.nerim.net/debian/ etch main contrib

deb ftp://ftp.nerim.net/debian/ sid main contrib
deb-src ftp://ftp.nerim.net/debian/ sid main contrib

#deb ftp://ftp.nerim.net/debian/ ../project/experimental main
#deb-src ftp://ftp.nerim.net/debian/ ../project/experimental main

deb http://security.debian.org/ stable/updates main
deb http://security.debian.org/ testing/updates main

deb ftp://ftp.nerim.net/debian-marillat/ sarge main
deb ftp://ftp.nerim.net/debian-marillat/ etch main
deb ftp://ftp.nerim.net/debian-marillat/ sid main

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-k7
Locale: LANG=3Dfr_FR@euro, LC_CTYPE=3Dfr_FR@euro (charmap=3DISO-8859-15)

Versions of packages apt depends on:
ii libc6 2.3.5-6 GNU C Library: Shared librarie=
s an
ii libgcc1 1:4.0.1-2 GCC support library
ii libstdc++5 1:3.3.6-7 The GNU Standard C++ Library v3

apt recommends no packages.

-- no debconf information

--=20
<email address hidden>
OpenPGP 0xD9D50D8A

--1kVeyRzorzGcO9ta
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDNA/+xe13INnVDYoRAj5HAKDoTI9yzGKQI/bH7hbV1plyqFSEHACbB/gR
kgjosIOuVHjyuBQQwC5r5Ss=
=zHvy
-----END PGP SIGNATURE-----

--1kVeyRzorzGcO9ta--