Last month we moved the neon archive to a new server so packages got built on our existing server then uploaded to the new server. Checking the config it seemed I’d made the nasty error of leaving it open to the world rather than requiring an ssh gateway to access the apt repository, so anyone scanning around could have uploaded packages. There’s no reason to think that happened but the default in security is to be paranoid for any possibility. The security advisory is out, the archives have been wiped and all packages in User rebuilt so upgrade now to get the new package builds, or for extra security do a reinstall. The new User Edition ISO is out and I’ll update the website once that gets mirrored enough. Developer Editions packages are being rebuild now and go directly into the archives so you should start seeing those appear shortly as they are built. Sorry for the hassle folks, you wouldn’t want us to just hide it I’m sure.
Thx for info!
Thanks for the transparency: that builds trust!
Good stuff, though it appears I’ve lost the ability to install neon-desktop & plasma-desktop, ultimately because libkf5baloo5 isn’t in the repo. Has this been missed in the bringup?
I seem to have 5.27.0+p16.04+git20161107.0457-0 installed, presumably from the previous repo.
You are running a developer edition which currently does not have any packages, they are being rebuilt and will become available over the next couple of days
apt policy libkf5* shows there is quite a lot of libkf5 missing that I had previously installed from neon:
libkf5kiowidgets5
libkf5gapi-data
libkf5kontactinterface5
libkf5krosscore5
libkf5kcmutils-dev
libkf5ksieve5
libkf5kiocore5
, etc.
You are running a developer edition which currently does not have any packages, they are being rebuilt and will become available over the next couple of days
Thank you for the disclosure.
Are you able to give a date after which the archive and ISOs are to be considered compromised?
Furthermore, shouldn’t package signing have prevented malicious packages being installed? Did the attacker have access to signing keys? (It is not really clear if the new archive server or the build server, or both, were accessible.)
I set up the new server on October 17th and it will have been open since then.
It’s not set up to require packages being signed because the only access should have been through secure SSH tunnel. That is now the case again. We’ll probably add gpg signing of packages as a second layer of security.
Sorry for not expressing myself clearly – I didn’t mean package signing for the build machine to archive machine transfer, but rather the usual distro package/archive signing as described on https://wiki.debian.org/SecureApt for example.
So, assuming
– you do sign the KDE Neon package archive
– potential attackers could not change this signature
– my understanding of apt is not totally broken,
apt(-get) on KDE Neon users’ machines should have refused by default to install malicious packages if any were uploaded to the archive since the integrity check would have failed for these packages. This would limit the issue’s impact.
I am just a user though, so please correct me if I’m wrong.
the archive would assume what was uploaded was secure and would sign it.
Only the archive server was accessibly. The build server has never been insecure. We are not aware of there being any attacker and have not spotted any problems, but as ever with security that isn’t good enough to say there are no problems.
Just to be perfectly clear. The currently available neon-useredition-20161114-0947-amd64.iso with SHA256 sum 6ee1d0796a0f9f880463dca713ec66efac1db7f105a972eeaf089ee1a588a9a3 is OK and can be used to do a full system reinstall. Correct?
yes
Thank you for the disclosure.
Could you elaborate on how you came to the conclusion that there is no reason that someone unauthorized uploaded packages?
Logs, diffs of postinstall scripts…?
“there is no reason that someone unauthorized uploaded packages” that’s not what we’ve said, there was a potential to create an exploit and as far as we know nobody has exploited it but that’s never good enough with security so we have rebuilt the archive and advise a reinstall
Quick question: I’ve reinstalled Neon using the newest user iso, but I’ve only formatted / and left /home untouched since I’ve got tons of documents there. Now I’m finding a lot of packages broken, most of the ones pointed by neon-all. Is this something I did or a side effect of the issue?
Thanks in advance
Sorry not enough information here to help, try posting all the details on the neon forum on forums.kde.org
Hi, I setup a new installation with the new user edition image.
Unfortunately, a lot of software is uninstallable, because the package python-pyqt5 seems to be broken (as in: has an unresolvable dependency). I assume it’s the original ubuntu package and no replacement is in the KDE neon archive (yet?). It shows an outdated version when I compare it to an older installation of kde neon. Are the packages still being rebuilt and added to the repository? Any ETA on when the distro is fully usable again? Would be nice to have this announced somewhere, because now I’m stuck without some critical software that I depend on.
Thanks for the announcement though!
should be fixed now
Hello! Today’s images, Nov17, are somehow corrupted or something: installation process is broken on 30% of progress while installing Language package with no message provided, just a blank popup window saying nothing but to send a bug report to ubiquity. I tried to install dev-unstable but it ends up with the same result. Thanks to debian mirror, they’ve got Nov14 images, so I install neon from it and everything ok now. Could you please check the installation or I’m the one with this problem?
Now in dev-stable too:
http://i.imgur.com/5aT5fIn.png
also
*** Problem in ubiquity
The problem cannot be reported:
This is not an official KDE package. Please remove any third party package and try again
what do?