PPAs only have "release" pocket, and do not have -updates, thus at the
moment they get pinned down lower than -updates. Normally, the
snappy-dev/image ppa should be treated on the same priority as
-updates.
Signed-off-by: Dimitri John Ledkov <email address hidden>
To add the key we need to install gnupg but we cannot do that
after copying in the external sources.list (which contains the
other archive already). So do one unmodified update run.
Signed-off-by: Stefan Bader <email address hidden>
Ensure that all of the additionally configured repositories and
installed packages needed to construct a kernel snap are authenticated
by apt.
The Makefile improperly used the --allow-insecure-repositories and
--allow-unauthenticated apt options when setting up the build chroot. An
attacker with control over the network between the build machine and the
Ubuntu archive or the snappy-dev/image PPA could use this to perform a
man-in-the-middle attack to install malicious packages in the build
chroot.
Such an attack is unlikely for the official Ubuntu kernel snap builds
since the Launchpad buildd infrastructure and the network communication
with the Ubuntu archive and Launchpad PPAs is tightly controlled.
However, end-users may use this Makefile to build their own kernel snaps
and have no guarantees about the communication with the archive or PPAs.
Store a copy of the snappy-dev/image PPA's public signing key alongside
the Makefile so that the public signing key can be added to apt as part
of the build process. Finally, remove all uses of
--allow-insecure-repositories and --allow-unauthenticated when invoking
apt commands.
CVE-2019-11480
Signed-off-by: Tyler Hicks <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Andy Whitcroft <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>
