LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 12-27-2015, 01:27 AM   #346
zerouno
Member
 
Registered: Oct 2009
Location: Italy
Distribution: Slackware
Posts: 636

Rep: Reputation: 192Reputation: 192

The changelog.txt is always downloaded. It will never cached. All other files in tds.net will be cached.
 
Old 12-27-2015, 10:56 AM   #347
zerouno
Member
 
Registered: Oct 2009
Location: Italy
Distribution: Slackware
Posts: 636

Rep: Reputation: 192Reputation: 192
I found a security bug in slackpkg/slackpkg+, but I'm not sure if I want/can/should/must to fix it.


slackpkg+ is used also for ConnochaetOS.


It is not a problem but the repository contains also a MODIFIED mirror of slackware-14.1 where the author has added some metadata (deps file).
Then he has added his own GPG-KEY to sign the CHECKSUMS.md5
Code:
pub   4096R/132DCE57 2015-04-13 [expires: 2025-04-10]
uid                  Henry Jensen <hjensen@connochaetos.org>
Code:
$ gpg --import GPG-KEY
gpg: keyring `/home/casa/.gnupg/secring.gpg' created
gpg: key 132DCE57: public key "Henry Jensen <hjensen@connochaetos.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
$ gpg --verify CHECKSUMS.md5.asc.1 CHECKSUMS.md5.5    
gpg: Signature made Sun Dec 27 04:40:40 2015 CET using RSA key ID 132DCE57
gpg: Good signature from "Henry Jensen <hjensen@connochaetos.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5C85 5D80 250F DFE7 DC00  0DCB 5086 928C 132D CE57
But the packages are slackware original packages signed with the original signature:
Code:
$ wget https://connochaetos.org/slack-n-free/salix/i486/slackware-14.1/slackware/a/aaa_base-14.1-i486-1.txz
$ wget https://connochaetos.org/slack-n-free/salix/i486/slackware-14.1/slackware/a/aaa_base-14.1-i486-1.txz.asc
$ gpg --verify aaa_base-14.1-i486-1.txz.asc aaa_base-14.1-i486-1.txz
gpg: Signature made Tue Oct 15 00:17:37 2013 CEST using DSA key ID 40102233
gpg: Good signature from "Slackware Linux Project <security@slackware.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EC56 49DA 401E 22AB FA67  36EF 6A44 63C0 4010 2233
So in the repository there are .asc files not signed with the main GPG-KEY.
This is the first security bug. gpg --verify checks the sign file with all key trusted.
I expect that in slack-n-free repository I see connochaetos packages only; instead I see also slackware packages (but I may find also alienbob/slacky/other packages, copied from original repository).
Or slackpkg install should tell to the user some information about its authenticity (the subject of the key that has signed the file), instead to tell he just about integrity.


Also,
in config example file
where the author suggests to add this repository in /etc/slackpkg/mirrors
Now when I run slackpkg update gpg, it does not import the slackware gpg-key, so the installation/upgrade of slackware packages from that fake slackware repository will fails.

This is a functional bug AND the second (and I think the major) security bug, i.e. I can put in /etc/slackpkg/mirrors a mirror of slackware not signed with the original slackware signature.
When you start slackpkg, it does verify that there is the official slackware key imported in gnupg db
Code:
  SLACKKEY=${SLACKKEY:-"Slackware Linux Project <security@slackware.com>"}
[...]
        GPGFIRSTTIME="$(gpg --list-keys \"$SLACKKEY\" 2>/dev/null \
                        | grep -c "$SLACKKEY")"
but it does not verify that files are signed with that key
Code:
function checkgpg() {
        gpg --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"
}
nor slackpkg+ do that.






It is not a big security bug becouse even if a package is signed with a different key, however the key was trusted in gnupg store from the user.
In effect the question is not "how to fix?" but "do we need to fix?".

A fix could break some repository.

Notes that ConnochaetOS is a SalixOS based distribution.
Salix is based on slapt-get package tool to manage dependencies, so it NEEDS a slackware repository with deps metadata.
The Salix official repository signs just the CHECKSUMS.md5 with the GPG-KEY; all packages are not signed (so that you need to install it with slackpkg -checkgpg=off)


Any suggests?
 
Old 12-27-2015, 03:26 PM   #348
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,063

Rep: Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825Reputation: 6825
Slackpkg was not created with multiple 3rd party support in mind, so the checkgpg function is pretty basic and seems to assume that slackpkg will only install Slackware packages and therefore a check against a specific GPG key is not needed.
However, slackpkg was also written to be extensible. Which is why you were able to write your slackpkg+ extension.

I think that the checkgpg() function needs to be re-implemented (extended) as part of slackpkg+; the function should do a "gpg --verify" against the GPG key of the repository from which you are installing the package, and installation of the package should be aborted if the GPG check fails for the package.

This implies that all packages in a single repository need to be signed with a single GPG key.

The ConnochaetOS apparently contains a mix of packages, from Slackware, Salix and from ConnochaetOS? That is not a good idea. The solution would be to offer multiple sub-repositories, each containing packages that have been signed with just a single GPG key.

Also, it would be good if any URL that gets added to the official "/etc/slackpkg/mirrors" file, contains ONLY packages signed with the Slackware GPG key. There must be no room for 3rd party repositories in the official "mirrors" file. This is to protect people against carelessness. If it would ever happen that a bogus Slackware repository with infected packages finds its way into the "mirrors" file and those packages get installed, we are screwed.

I think this extension to the checkgpg() function should be submitted back as a fix to slackpkg as well, because at this moment it gives a false sense of security.
 
Old 12-27-2015, 07:01 PM   #349
zerouno
Member
 
Registered: Oct 2009
Location: Italy
Distribution: Slackware
Posts: 636

Rep: Reputation: 192Reputation: 192
Quote:
I think this extension to the checkgpg() function should be submitted back as a fix to slackpkg as well, because at this moment it gives a false sense of security.
For slackpkg should be sufficient
Code:
--- /usr/libexec/slackpkg/core-functions.sh     2015-12-16 08:01:12.000000000 +0100
+++ core-functions.sh   2015-12-28 01:31:18.760625970 +0100
@@ -508,7 +508,7 @@
 # Verify the GPG signature of files/packages
 #
 function checkgpg() {
-       gpg --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"
+       gpg --verify ${1}.asc ${1} 2>&1|grep -q "Good signature from \"$SLACKKEY\"" && echo "1" || echo "0"
 }
 
 # Found packages in repository.
That checks the subject of key.
But more sure may be to check the fingerprint:
Code:
gpg --verify ${1}.asc ${1} 2>&1|grep -q "EC56 49DA 401E 22AB FA67  36EF 6A44 63C0 4010 2233" && echo "1" || echo "0"
becouse I can generate a gpg key with the same subject of slackware key.
notes that this fingerprint is valid up to the year 2038.

Quote:
The ConnochaetOS apparently contains a mix of packages, from Slackware, Salix and from ConnochaetOS? That is not a good idea. The solution would be to offer multiple sub-repositories, each containing packages that have been signed with just a single GPG key.
No, ConnochaetOS contains 3 repositories:
https://connochaetos.org/slack-n-free/slack-n-free-14.1 -> contains specifics ConnochaetOS, all signed with the ConnochaetOS key
https://connochaetos.org/slack-n-free/salix/i486/14.1 -> contains a modified copy of salix repository; salix does not sign every single packages, so here there are only file signed with ConnochaetOS key
https://connochaetos.org/slack-n-fre...slackware-14.1 -> contains a modified copy of slackware repository; here all packages are signed with the official slackware key, but the CHECKSUMS.md5 is signed with ConnochaetOS key.

Last edited by zerouno; 12-27-2015 at 07:06 PM.
 
Old 12-28-2015, 06:40 PM   #350
bamunds
Member
 
Registered: Sep 2013
Location: Mounds View MN
Distribution: Slackware64-14.2 XDM_Themes/WMaker
Posts: 705

Rep: Reputation: 225Reputation: 225Reputation: 225
Never mind, nothing to see here, just move along.

Last edited by bamunds; 12-28-2015 at 06:57 PM. Reason: Operator Errror
 
Old 12-29-2015, 04:27 AM   #351
lems
Member
 
Registered: May 2004
Distribution: BSD
Posts: 269

Rep: Reputation: 119Reputation: 119
Quote:
Originally Posted by zerouno View Post
But more sure may be to check the fingerprint:
Code:
gpg --verify ${1}.asc ${1} 2>&1|grep -q "EC56 49DA 401E 22AB FA67  36EF 6A44 63C0 4010 2233" && echo "1" || echo "0"
becouse I can generate a gpg key with the same subject of slackware key.
notes that this fingerprint is valid up to the year 2038.
Keep in mind that SlackwareARM uses a different key.
 
Old 12-29-2015, 04:34 AM   #352
zerouno
Member
 
Registered: Oct 2009
Location: Italy
Distribution: Slackware
Posts: 636

Rep: Reputation: 192Reputation: 192
Yes, it was a draft to give an idea.
 
Old 12-29-2015, 09:59 AM   #353
phenixia2003
Member
 
Registered: May 2006
Location: France
Distribution: Slackware
Posts: 958

Rep: Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896Reputation: 896
Hello,

Quote:
Originally Posted by Alien Bob View Post
I think that the checkgpg() function needs to be re-implemented (extended) as part of slackpkg+; the function should do a "gpg --verify" against the GPG key of the repository from which you are installing the package, and installation of the package should be aborted if the GPG check fails for the package.

This implies that all packages in a single repository need to be signed with a single GPG key.
Here is a (beta) patch which implements that:

Code:
--- slackpkgplus.sh.orig	2015-12-29 16:49:57.066470655 +0100
+++ slackpkgplus.sh	2015-12-29 17:03:13.715506202 +0100
@@ -286,6 +286,7 @@
         fi
         if [ $? -eq 0 ];then
           gpg --import $2-tmp
+	  gpg --output "${WORKDIR}/${PREPO}-GPG-KEY.gpg" --dearmor $2-tmp
         else
           echo
           echo "                   !!! W A R N I N G !!!"
@@ -309,7 +310,17 @@
       return
     fi
     if [ -e "${1}.asc" ];then
-      gpg --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"
+
+      PKGNAME=$(basename ${1})
+      REPO=$(grep -m 1 " ${PKGNAME%.*} " ${TMPDIR}/pkglist | cut -f1 -d" " | sed "s/SLACKPKGPLUS_//")
+
+      if [ ! -z "$REPO" ] && [ -e "${WORKDIR}/${REPO}-GPG-KEY.gpg" ] ; then
+        gpg 	--no-default-keyring \
+      		--keyring ${WORKDIR}/${REPO}-GPG-KEY.gpg \
+      		--verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"
+      else
+        gpg --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"
+      fi
     else
       echo 1
     fi
--
SeB
 
Old 12-29-2015, 04:49 PM   #354
zerouno
Member
 
Registered: Oct 2009
Location: Italy
Distribution: Slackware
Posts: 636

Rep: Reputation: 192Reputation: 192
Thankyou. I was writting a similar patch that write keyids/repository in a file, then --verify do a grep on the output.
But your solution is better.
I'm testing it.

n.b.: I just commited in devel branch.
No functionality touched, but I had just resort/reindent the code and moved zdialogplus.sh into slackpkgplus.sh (so slackpkgplus is just one file)
Your patch works but with 280 lines offset
 
Old 12-29-2015, 05:29 PM   #355
zerouno
Member
 
Registered: Oct 2009
Location: Italy
Distribution: Slackware
Posts: 636

Rep: Reputation: 192Reputation: 192
Quote:
Originally Posted by zerouno View Post
n.b.: I just commited in devel branch.
No functionality touched, but I had just resort/reindent the code and moved zdialogplus.sh into slackpkgplus.sh (so slackpkgplus is just one file)
commit reverted!!
I'm sorry

[edit] ok, recommited.

Last edited by zerouno; 12-29-2015 at 05:45 PM.
 
Old 12-30-2015, 01:32 PM   #356
zerouno
Member
 
Registered: Oct 2009
Location: Italy
Distribution: Slackware
Posts: 636

Rep: Reputation: 192Reputation: 192
I added something to your patch. (need other testing)


Code:
--- a/src/slackpkgplus.sh
+++ b/src/slackpkgplus.sh
@@ -551,6 +551,12 @@ if [ "$SLACKPKGPLUS" = "on" ];then
       done
     fi
     if [ $(basename $1) = "GPG-KEY" ];then
+      mkdir -p ${WORKDIR}/gpg
+      gpg $2
+      for PREPO in $(echo ${PRIORITY[*]}|sed 's/SLACKPKGPLUS_[^ ]*//g');do
+        rm -f "${WORKDIR}/gpg/GPG-KEY-${PREPO}.gpg"
+        gpg --output "${WORKDIR}/gpg/GPG-KEY-${PREPO}.gpg" --dearmor $2
+      done
       for PREPO in ${REPOPLUS[*]};do
         if [ "${PREPO:0:4}" = "dir:" ];then
           continue
@@ -562,10 +568,14 @@ if [ "$SLACKPKGPLUS" = "on" ];then
         elif echo $URLFILE |grep -q "^dir:/";then
           continue
         else
+          echo
           $DOWNLOADER $2-tmp ${MIRRORPLUS[${PREPO/SLACKPKGPLUS_}]}GPG-KEY
         fi
         if [ $? -eq 0 ];then
+          gpg $2-tmp
           gpg --import $2-tmp
+          rm -f "${WORKDIR}/gpg/GPG-KEY-${PREPO}.gpg"
+          gpg --output "${WORKDIR}/gpg/GPG-KEY-${PREPO}.gpg" --dearmor $2-tmp
         else
           echo
           echo "                   !!! W A R N I N G !!!"
@@ -577,6 +587,7 @@ if [ "$SLACKPKGPLUS" = "on" ];then
           sleep 5
         fi
         rm $2-tmp
+        echo
       done
     fi
   } # END function getfile()
@@ -584,12 +595,38 @@ if [ "$SLACKPKGPLUS" = "on" ];then
     # override slackpkg checkgpg()
     # new checkgpg() is used to check gpg and to merge the CHECKSUMS.md5 files
   function checkgpg() {
+    local FILENAME
+    local REPO
+
     if echo $1|egrep -q "/SLACKPKGPLUS_(file|dir|http|ftp|https)[0-9]";then
       echo 1
       return
     fi
     if [ -e "${1}.asc" ];then
-      gpg --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"
+
+      FILENAME=$(basename ${1})
+      if [ "$FILENAME" == "CHECKSUMS.md5" ];then
+        REPO=slackware
+        [ -e "${WORKDIR}/gpg/GPG-KEY-slackware64.gpg" ]&&REPO=slackware64
+      elif [ ${FILENAME:0:13} == "CHECKSUMS.md5" ];then
+        REPO=$(echo $FILENAME|cut -f2 -d-|sed 's/\.gz$//')
+      else
+        #REPO=$(grep -m 1 " ${FILENAME.*} " ${TMPDIR}/pkglist | cut -f1 -d" " | sed "s/SLACKPKGPLUS_//")
+        REPO=$(echo $1|sed -r -e "s,^$TEMP,/," -e "s,/\./,/,g" -e "s,//,/,g" -e "s,^/,," -e "s,/.*$,," -e "s,SLACKPKGPLUS_,,")
+      fi
+
+      if [ ! -z "$REPO" ] && [ -e "${WORKDIR}/gpg/GPG-KEY-${REPO}.gpg" ] ; then
+        echo "Using GPG-KEY-${REPO}.gpg" >&2
+        gpg  --no-default-keyring \
+         --keyring ${WORKDIR}/gpg/GPG-KEY-${REPO}.gpg \
+         --verify ${1}.asc ${1} 2>/dev/null && echo "1" || echo "0"
+      else
+        echo "No matching GPG-KEY for repository '$REPO' checking $FILENAME" >&2
+        echo "Try to run 'slackpkg update gpg' or 'slackpkg -checkgpg=off $CMD ...'" >&2
+        echo "No matching GPG-KEY for repository '$REPO' checking $FILENAME" >>$TMPDIR/error.log
+        echo "Try to run 'slackpkg update gpg' or 'slackpkg -checkgpg=off $CMD ...'" >>$TMPDIR/error.log
+        echo 0
+      fi
     else
       echo 1
     fi
 
Old 12-30-2015, 03:24 PM   #357
zerouno
Member
 
Registered: Oct 2009
Location: Italy
Distribution: Slackware
Posts: 636

Rep: Reputation: 192Reputation: 192
I made an additional tool (currently not slackpkg+ depended) to generate a CHECKSUMS.md5.log everytime you run slackpkg update

Code:
Wed Dec 30 22:11:28 CET 2015
----------------------------------
Removed: 3b3d33618da6f78fec64e9c7b177d443  ./SLACKPKGPLUS_slackpkgplus/pkg/slackpkg+-1.6.1-noarch-4mt.txz
Added: 29f994f3d4d259887763085b4312d35f  ./SLACKPKGPLUS_slackpkgplus/pkg/slackpkg+-1.6.1-noarch-5mt.txz
Removed: 6a60411afa4089456522dffa75ceed3d  ./slackware/a/aaa_elflibs-14.1-i486-2.txz
Added: 02e2ccc09e98a0b60d5a6cc2b5325ecd  ./slackware/a/aaa_elflibs-14.1-i486-3.txz
==================================
Wed Dec 30 22:09:45 CET 2015
----------------------------------
Added: 6a60411afa4089456522dffa75ceed3d  ./SLACKPKGPLUS_slackpkgplus/pkg/slackpkg+-1.6.1-noarch-4mt.txz
Added: 0756b78efce72f71762a22dc44662623  ./extra/aspell-word-lists/aspell-af-0.50_0-noarch-4.txz
Added: dcb73b357132fa41ca9713ce733cd46e  ./extra/aspell-word-lists/aspell-am-0.03_1-noarch-4.txz
Added: ac5a793ea0daa521d39b50bfc5898348  ./extra/aspell-word-lists/aspell-az-0.02_0-noarch-4.txz
Added: 8c2bdaaa211e967904b28031250e541c  ./extra/aspell-word-lists/aspell-be-0.01-noarch-4.txz
...
...
it is very very embrional


put it in /usr/libexec/slackpkg/functions.d/zchangelog.sh
Code:
test -n "$(declare -f cleanup)" || return                                                                                                               
eval "${_/cleanup/cleanup_orig}"                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        
function cleanup(){                                                                                                                                     
  if [ "$CMD" == "update" ];then                                                                                                                        
    if [ ! -e "$WORKDIR/CHECKSUMS.md5.copy" ];then
      touch $WORKDIR/CHECKSUMS.md5.copy
      touch $WORKDIR/CHECKSUMS.md5.log
      touch $WORKDIR/CHECKSUMS.md5
    fi
    if [ $WORKDIR/CHECKSUMS.md5 -nt $WORKDIR/CHECKSUMS.md5.copy ];then
      mv $WORKDIR/CHECKSUMS.md5.log $WORKDIR/CHECKSUMS.md5.log.old
      cat $WORKDIR/CHECKSUMS.md5 |grep "\.t.z$"|sort -k2 >$WORKDIR/CHECKSUMS.md5.tmp
      date > $WORKDIR/CHECKSUMS.md5.log
      echo "----------------------------------" >> $WORKDIR/CHECKSUMS.md5.log
      diff $WORKDIR/CHECKSUMS.md5.copy $WORKDIR/CHECKSUMS.md5.tmp |grep -e "^>" -e "^<"| sed -e 's/^>/Added:/' -e 's/^</Removed:/' >> $WORKDIR/CHECKSUMS.md5.log
      if ! tail -1 $WORKDIR/CHECKSUMS.md5.log|grep -q -- --------- ;then
        echo "==================================" >> $WORKDIR/CHECKSUMS.md5.log
      else
        >$WORKDIR/CHECKSUMS.md5.log
      fi
      cat $WORKDIR/CHECKSUMS.md5.log.old >> $WORKDIR/CHECKSUMS.md5.log
      rm $WORKDIR/CHECKSUMS.md5.log.old 
      mv $WORKDIR/CHECKSUMS.md5.tmp $WORKDIR/CHECKSUMS.md5.copy
    fi
  fi
  cleanup_orig
}
 
Old 12-30-2015, 09:33 PM   #358
bamunds
Member
 
Registered: Sep 2013
Location: Mounds View MN
Distribution: Slackware64-14.2 XDM_Themes/WMaker
Posts: 705

Rep: Reputation: 225Reputation: 225Reputation: 225
I'm seeing some weird slackpkg+ response, with "grep:write error" and "grep: write error: Broken pipe" when attempting to install-new or upgrade-all if nothing is found. Then eventually when a package is found to install or upgrade the ncurses screen is appearing. Do I need to again revert to -3mt? Is anyone else seeing this behavior? I'm running Slackware 64 v14.1 with Multilib and KTOWN. Thanks
 
Old 12-31-2015, 08:09 AM   #359
mlangdn
Senior Member
 
Registered: Mar 2005
Location: Kentucky
Distribution: Slackware64-current
Posts: 1,602

Rep: Reputation: 292Reputation: 292Reputation: 292
I did not see this with install-new, but I do have 2 options for upgrade that I won't upgrade. One is a MPlayer that I custom built, the other is an older ffmpeg for the custom MPlayer.
 
Old 12-31-2015, 08:12 AM   #360
zerouno
Member
 
Registered: Oct 2009
Location: Italy
Distribution: Slackware
Posts: 636

Rep: Reputation: 192Reputation: 192
@bamunds
Please run
bash -x slackpkg install-new
and attach the output
 
  


Reply

Tags
slackpkg


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Holding a package update from slackpkg gazj Slackware 2 01-25-2011 04:58 PM
Where can I find a 3rd Party Repository for RHEL 5? tightlikethat Linux - Newbie 3 02-27-2010 08:46 PM
Best 3rd Party RPM Repository for FC9 kromberg Fedora 11 11-13-2008 08:04 PM
Package Kit Error-- "Cannot retrieve repository metadata (repomd.xml) for repository" mbvpixies78 Linux - Newbie 11 08-22-2008 07:20 PM
3rd party package managers? crontab Slackware 3 10-06-2007 10:34 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 09:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration