Bug#718225: live-build should authenticate files it downloads

To: submit@bugs.debian.org
Subject: Bug#718225: live-build should authenticate files it downloads
From: Evgeny Kapun <abacabadabacaba@gmail.com>
Date: Mon, 29 Jul 2013 03:40:12 +0400
Message-id: <51F5ABDC.1060305@gmail.com>
Reply-to: Evgeny Kapun <abacabadabacaba@gmail.com>, 718225@bugs.debian.org

Package: live-build
Version: 4.0~a20-1
Tags: security

Apt and debootstrap authenticate files which they download. However, sometimes lb_build downloads files directly. Run `grep wget /usr/lib/live' to find some of the places where it is done.
When doing so, lb_build doesn't check if these files are original. An attacker can modify these files to affect the build process. For example, she can replace debian-installer kernel or initrd with arbitrary files (/usr/lib/live/build/binary_debian-installer).

Reply to:

Follow-Ups:
- Bug#718225: live-build should authenticate files it downloads
  - From: Daniel Baumann <daniel.baumann@progress-technologies.net>

Prev by Date: build failures due to inexplicable network errors
Next by Date: Bug#718225: live-build should authenticate files it downloads
Previous by thread: build failures due to inexplicable network errors
Next by thread: Bug#718225: live-build should authenticate files it downloads
Index(es):
- Date
- Thread