Bug 1150532 – AUDIT-1: apt-cacher-ng: review of cron job file(s): /etc/cron.daily/apt-cacher-ng

Bug 1150532 - AUDIT-1: apt-cacher-ng: review of cron job file(s): /etc/cron.daily/apt-cacher-ng


Summary:	AUDIT-1: apt-cacher-ng: review of cron job file(s): /etc/cron.daily/apt-cache...

Status:	RESOLVED WONTFIX

Classification:	openSUSE
Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Security
Version:	Current
Hardware:	Other Other

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	1150175
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-09-12 11:26 UTC by Matthias Gerstner
Modified:	2020-01-30 09:55 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Gerstner 2019-09-12 11:26:02 UTC

+++ This bug was initially created as a clone of Bug #1150175
As discussed in the proactive security team we want to restrict the
installation of cron job files in the future. To achieve this we first need to
cover the currently existing packages that do this.

apt-cacher-ng is installing a cron job in /etc/cron.daily/apt-cacher-ng that
should be reviewed and subsequently whitelisted if all is well.

Comment 1 Matthias Gerstner 2019-10-31 14:02:53 UTC

This cron job triggers a "maintenance task" at the apt-cacher-ng daemon. This
is basically done by talking to localhost:3142 via TCP and trigger a certain
GET operation. If any credentials are required then those are read from
configuration and passed to the HTTP socket.

The cron job script itself looks okay, the localhost communication should also
be fine. It's unencrypted so if anybody should have the possibility to listen
in e.g. via tcpdump then those credentials could leak. But that is not the
case for regular users by default.

Comment 2 Matthias Gerstner 2019-11-19 11:33:52 UTC

On second thought: localhost port 3142 is unprivileged and thus a local user
could fire up a fake server. The acngtool only wants to trigger something at
the server but to do so generic HTTP processing is involved. This HTTP
processing is done with seemingly custom HTTP handling code in
source/dlcon.cc. It also supports HTTP chunked encoding which has been a
source of security issues in other packages in the past. A first look into the
handling of this looks okay in the code.

Comment 3 Matthias Gerstner 2019-11-25 14:45:33 UTC

mchandras left the company. Adding mpluskal as the new maintainer of
apt-cacher-ng according to OBS.

Comment 4 Matthias Gerstner 2020-01-30 09:55:19 UTC

Since there's no maintainer left for apt-cacher-ng I've filed a delete request for the package in Factory. This delete request got accepted by now. I'm decoupling this bug from the CVE sub-bugs. For the CVE I've submitted maintenance update for Leap myself.

Therefore no whitelisting for apt-cacher-ng regarding the cron job is necessary. Closing this bug as WONTFIX.