Bug#718225: live-build should authenticate files it downloads

To: 718225@bugs.debian.org
Subject: Bug#718225: live-build should authenticate files it downloads
From: jnqnfe <jnqnfe@gmail.com>
Date: Sun, 04 Jan 2015 01:13:45 +0000
Message-id: <[🔎] 54A893C9.7090807@gmail.com>
Reply-to: jnqnfe <jnqnfe@gmail.com>, 718225@bugs.debian.org

Control: severity -1 critical

Raising the severity of this, considering I am almost completely done
with building the patch for it, I'd really like to see this get into
Jessie, and considering that it allows complete compromise of a live
image and any installations from it, unless the user actually knows to
deploy a work around (which is not discussed at all in documentation and
perfectly easy therefore for a user to just assume it is just secure to
use with remote archives). Also contacting the security team to inquire
about a CVE being issued, for formalities sake.

Worth noting for the record, since this isn't documented anywhere:
 - The only work around to avoid compromise would be to create and use a
local archive instead of a remote one, separately taking steps to ensure
integrity of the local archive before use.
 - Even if you do this, if you opt to use the daily edition of the
installer image, this is downloaded directly from a debian server,
exposing you to compromise.

Reply to:

Prev by Date: Bug#774523: Mirror/dist cache sub-directories
Next by Date: Processed: Re: Bug#718225: live-build should authenticate files it downloads
Previous by thread: Bug#774523: Mirror/dist cache sub-directories
Next by thread: Processed: Re: Bug#718225: live-build should authenticate files it downloads
Index(es):
- Date
- Thread