Bug#856405: unblock: libdebian-installer/0.109 and others

To: Steven Chamberlain <steven@pyro.eu.org>, 856405@bugs.debian.org
Cc: Cyril Brulebois <kibi@debian.org>
Subject: Bug#856405: unblock: libdebian-installer/0.109 and others
From: Niels Thykier <niels@thykier.net>
Date: Wed, 01 Mar 2017 07:00:00 +0000
Message-id: <[🔎] ea8d2011-294c-ebd2-51b1-6fdd99c9c226@thykier.net>
Reply-to: Niels Thykier <niels@thykier.net>, 856405@bugs.debian.org
In-reply-to: <20170228165619.GM53239@pyro.eu.org>
References: <20170228165619.GM53239@pyro.eu.org>

Steven Chamberlain:
> Package: release.debian.org
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: debian-boot@lists.debian.org
> 
> Hi!
> 
> Attached are proposed debdiffs for anna, cdebootstrap and their
> dependency libdebian-installer (Bug #856210).
> 
> Would the release team be willing to grant unblocks for these?
> (It would also require an ACK from the d-i release manager).
> 

The changes have my blessing (with a remark further down).

(Quoted in full for KiBi's sake as I wasn't sure he had seen this)

> In the installer, net-retriever verifies the Release file with SHA256,
> but anna only validates the .udeb files with MD5, which was surprising.
> The .udeb files are extracted and then their contents may be executed
> with full privileges during the install (Bug #856211).
> 
> netboot images typically fetch .udeb files over unsecured HTTP.  Other
> install media bundles those so they need not be downloaded, but it could
> still happen if networking is configured during the install and a
> network mirror has newer versions of any required .udeb files.  (Some
> .udeb files are retrieved later, after installing the base system).
> 
> If not already considered a grave security flaw, it might be during the
> lifetime of stretch (-2022?).  Even if fixed in a point release, any
> install media created before then would remain vulnerable.
> 
> The changes to libdebian-installer are ABI-compatible, such that only
> reverse-dependencies that use the md5sum field should be affected
> (thought to be just anna and cdebootstrap).  They would FTBFS until
> patched, and already-built binaries would report a "md5sum mismatch" if
> they used this new version of the library at run-time, since the new
> SHA256 hashes would not match the MD5 hashes they expect.
> 
> unblock libdebian-installer/0.109
> unblock anna/1.58
> unblock cdebootstrap/0.7.7
> 
> Thanks!
> 
> [...]

Strictly speaking, the ".deb" variants of libdebian-installer would need
a "Breaks" and the rdeps a versioned Depends.  I am not entirely sure if
that is applicable for the udeb variants, but I assume KiBi got that
covered if he approves the change.

Thanks,
~Niels

Reply to:

Follow-Ups:
- Bug#856405: unblock: libdebian-installer/0.109 and others
  - From: Bastian Blank <waldi@debian.org>

Prev by Date: Bug#856451: unblock: haproxy/1.7.3-1
Next by Date: Bug#856021: unblock: libprelude/1.0.0-11.9
Previous by thread: Bug#856451: marked as done (unblock: haproxy/1.7.3-1)
Next by thread: Bug#856405: unblock: libdebian-installer/0.109 and others
Index(es):
- Date
- Thread