Bug#718225: live-build should authenticate files it downloads
Package: live-build
Version: 4.0~a20-1
Tags: security
Apt and debootstrap authenticate files which they download. However, sometimes lb_build downloads files directly. Run `grep wget /usr/lib/live' to find some of the places where it is done.
When doing so, lb_build doesn't check if these files are original. An attacker can modify these files to affect the build process. For example, she can replace debian-installer kernel or initrd with arbitrary files (/usr/lib/live/build/binary_debian-installer).
Reply to: