Bug#788634: debian-installer: Accepting a preseed URL from DHCP allows attacker to hijack installation
On 18 June 2015 at 14:11, Christian PERRIER <email@example.com> wrote:
> (no need to CC me or debian-boot to answers as bug report answers
> already go to debian-boot)
Ah, sorry. Thanks for letting me know.
> Quoting Aliz 'Randomdude' (firstname.lastname@example.org):
>> +Template: preseed/accept_preseed_from_DHCP
>> +Type: boolean
>> +Default: false
>> +Description: Should we accept a preseed URL from a DHCP server?
>> + Your DHCP server has provided extra commands or customisations to
>> + debian-installer. It is possible that these commands were sent by
>> + your network administrator; however, it is impossible to verify
>> + this, or to ensure they have not been altered by an attacker who
>> + already has access to your local network.
> This patch shouldn't be committed as is to the git repository. It
> needs rewording in the debconf template, to avoid a few style
> inconsistencies with the writing style of other D-I templates:
> - drop the use of first person ("we")
> - drop the use of "your"
> The template is also not marked for translation ("_Description"
> instead of "Description") even though it's clearly worded to be
Okay - my apologies for not reading the relevant "best packaging
practices" document first. Here's a revised patch:
diff -ur old/DEBIAN/postinst new/DEBIAN/postinst
--- old/DEBIAN/postinst 2014-09-24 06:16:34.000000000 +0100
+++ new/DEBIAN/postinst 2015-06-15 01:31:43.884000000 +0100
@@ -11,7 +11,13 @@
if [ -n "$dhcp_url" ]; then
- preseed_location "$dhcp_url"
+ db_input critical preseed/accept_preseed_from_DHCP || true
+ db_get preseed/accept_preseed_from_DHCP
+ if [ "$use_dhcp_url" == "true" ]; then
+ preseed_location "$dhcp_url"
diff -ur old/DEBIAN/templates new/DEBIAN/templates
--- old/DEBIAN/templates 2014-09-24 06:16:33.000000000 +0100
+++ new/DEBIAN/templates 2015-06-15 01:24:27.396000000 +0100
@@ -1048,3 +1048,13 @@
Description: for internal use; can be preseeded
Path added to local server to give the preseed root
+_Description: Accept a preseed URL from the DHCP server?
+ The DHCP server has provided extra commands or customisations to
+ debian-installer via a preseed file. It is possible that these
+ commands were set by the network administrator; however, it is
+ impossible to verify this, or to ensure they have not been altered
+ by an attacker who already has access to your local network. For
+ this reason, you should only accept these customisations if you
+ accept the risk they entail.
I've made it slightly more verbose as well. Is this acceptable, or
should I solicit comments on email@example.com?
Thanks for your guidance here.
- Aliz Hammond