[Bug 1363519] Re: start-stop-daemon fails debsums check

Thomas Mayer 1363519 at bugs.launchpad.net
Wed Dec 3 08:34:32 UTC 2014 

I am very concerned about this issue. I installed from media
119cb63b48c9a18f31f417f09655efbd ubuntu-14.04.1-desktop-amd64.iso. I
double-checked the hash comes from a SSL-trusted page and checked the
md5 sum of the file which was correct.

However, I also get
 md5sum /boot/vmlinuz-3.13.0-32-generic
144bf4beed11fb77e5ad629452741310  /boot/vmlinuz-3.13.0-32-generic
md5sum /sbin/start-stop-daemon 
b1b8894ae2e3b547dca0e288634cce4a  /sbin/start-stop-daemon

Could you please re-check that this is trusted software?

Next, I'm thinking about the question, how the community can technically
make sure that we never install untrusted software via apt-get. What if
a man-in-the-middle-Attack happens? This can easyly happen, if your
router is fishy!

Besides that, I think about third-party-repositories, and there's two scenarios I could imagine.
- What if I get untrusted keys via a man-in-the-middle-attack
- What about software which is downloaded by (third-party-)repo-software? First, this is out of focus for debsums. Second, I'm never sure if the downloaded software is rechecked against trustworth (SSL-transmitted) hashes. Many of us have to use oracle-java for some reason, which is provided by webupd8 repos, for example. Not that I say, I don't trust them. But if EVER they provide/download untrusted software(e.g. occasionally via man-in-the-middle), a lot of servers and desktops would be affected via regular update. For example, oracle-java download (done by the apt-package of webupd8) needs to be checked against a trusted hash. I hope, that is already the case, I did not recheck this.
- Think about wine software which is downloaded before you can use it
- Think about extensions in Mozilla's Firefox/Thunderbird or in OpenOffice/LibreOffice

In general:
- There's a bunch of software you need to download from sources which are not covered by apt-get (but possibly updated via apt-get). You don't get around that for some reason (e.g. oracle-java).
- If a man-in-the-middle-attack happens, the attacker could install any piece of software he wants via a regular update via third-party-repos and other software like wine.

The longer I think about it, the more I am concerned about ubuntu's
security concerning software rollout. Still, I think that ubuntu's
universe repo is the best way to provide lots of software which can be
trusted (if the maintainer can be trusted). I would like to have the
same affirmation for all software I ever need to install.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dpkg in Ubuntu.
https://bugs.launchpad.net/bugs/1363519

Title:
  start-stop-daemon fails debsums check

Status in dpkg package in Ubuntu:
  Confirmed

Bug description:
  After fresh install from 14.04.1-amd64-dvd - debsums -c results in: /sbin/start-stop-daemon. I checked dpkg package with dpkg -s dpkg and got: Status: install ok installed, Version: 1.17.5ubuntu5.3 (the latest version) but when I did md5sum /sbin/start-stop-daemon, I got b1b8894ae2e3b547dca0e288634cce4a, which is md5sum for start-stop-daemon from dpkg version 1.17.5ubuntu5!
  I confirmed the problem in Ubuntu/Xubuntu 14.04.1-i386 (VirtualBox) - the same case - latest version of dpkg package contains older version of start-stop-daemon. I guess this is the same problem I reported here: https://bugs.launchpad.net/ubuntu/+source/live-build/+bug/1150737. I fixed the problem with sudo apt-get install --reinstall dpkg - simple if You know about it, otherwise You have outdated/buggy/ package/system...
  Rgds!

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: dpkg 1.17.5ubuntu5.3
  ProcVersionSignature: Ubuntu 3.13.0-35.62-generic 3.13.11.6
  Uname: Linux 3.13.0-35-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.3
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Sat Aug 30 23:47:41 2014
  InstallationDate: Installed on 2014-08-07 (23 days ago)
  InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
  SourcePackage: dpkg
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dpkg/+bug/1363519/+subscriptions

More information about the foundations-bugs mailing list