Bug#856405: unblock: libdebian-installer/0.109 and others
Steven Chamberlain:
> Package: release.debian.org
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: debian-boot@lists.debian.org
>
> Hi!
>
> Attached are proposed debdiffs for anna, cdebootstrap and their
> dependency libdebian-installer (Bug #856210).
>
> Would the release team be willing to grant unblocks for these?
> (It would also require an ACK from the d-i release manager).
>
The changes have my blessing (with a remark further down).
(Quoted in full for KiBi's sake as I wasn't sure he had seen this)
> In the installer, net-retriever verifies the Release file with SHA256,
> but anna only validates the .udeb files with MD5, which was surprising.
> The .udeb files are extracted and then their contents may be executed
> with full privileges during the install (Bug #856211).
>
> netboot images typically fetch .udeb files over unsecured HTTP. Other
> install media bundles those so they need not be downloaded, but it could
> still happen if networking is configured during the install and a
> network mirror has newer versions of any required .udeb files. (Some
> .udeb files are retrieved later, after installing the base system).
>
> If not already considered a grave security flaw, it might be during the
> lifetime of stretch (-2022?). Even if fixed in a point release, any
> install media created before then would remain vulnerable.
>
> The changes to libdebian-installer are ABI-compatible, such that only
> reverse-dependencies that use the md5sum field should be affected
> (thought to be just anna and cdebootstrap). They would FTBFS until
> patched, and already-built binaries would report a "md5sum mismatch" if
> they used this new version of the library at run-time, since the new
> SHA256 hashes would not match the MD5 hashes they expect.
>
> unblock libdebian-installer/0.109
> unblock anna/1.58
> unblock cdebootstrap/0.7.7
>
> Thanks!
>
> [...]
Strictly speaking, the ".deb" variants of libdebian-installer would need
a "Breaks" and the rdeps a versioned Depends. I am not entirely sure if
that is applicable for the udeb variants, but I assume KiBi got that
covered if he approves the change.
Thanks,
~Niels
Reply to: