Bug#718225: live-build should authenticate files it downloads

To: Evgeny Kapun <abacabadabacaba@gmail.com>
Cc: 718225@bugs.debian.org
Subject: Bug#718225: live-build should authenticate files it downloads
From: Daniel Baumann <daniel.baumann@progress-technologies.net>
Date: Mon, 29 Jul 2013 01:49:11 +0200
Message-id: <51F5ADF7.4080403@progress-technologies.net>
Reply-to: daniel.baumann@progress-technologies.net, 718225@bugs.debian.org
In-reply-to: <51F5ABDC.1060305@gmail.com>
References: <51F5ABDC.1060305@gmail.com>

On 07/29/2013 01:40 AM, Evgeny Kapun wrote:
> Apt and debootstrap authenticate files which they download. However, sometimes lb_build downloads files directly. Run `grep wget /usr/lib/live' to find some of the places where it is done.
> When doing so, lb_build doesn't check if these files are original. An attacker can modify these files to affect the build process. For example, she can replace debian-installer kernel or initrd with arbitrary files (/usr/lib/live/build/binary_debian-installer).

yes, this is on the todo for quite a while.

-- 
Address:        Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern
Email:          daniel.baumann@progress-technologies.net
Internet:       http://people.progress-technologies.net/~daniel.baumann/

Reply to:

References:
- Bug#718225: live-build should authenticate files it downloads
  - From: Evgeny Kapun <abacabadabacaba@gmail.com>

Prev by Date: Bug#718225: live-build should authenticate files it downloads
Next by Date: Including a Debian installer on Sid is not working
Previous by thread: Bug#718225: live-build should authenticate files it downloads
Next by thread: Including a Debian installer on Sid is not working
Index(es):
- Date
- Thread