not getting compromised while applying apt-get upgrade for CVE-2016-1252

To: "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: not getting compromised while applying apt-get upgrade for CVE-2016-1252
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Thu, 15 Dec 2016 20:33:00 +0000
Message-id: <[🔎] becd96d1-1196-8a44-a516-e8e2b0df2fd1@riseup.net>

TLDR:
Is it possible to disable InRelease processing by apt-get?


Long:

Very short summary of the bug:
(my own words) During apt-get upgrading signature verification can be
tricked resulting in arbitrary package installation, system compromise.

sources:

- https://security-tracker.debian.org/tracker/CVE-2016-1252
- https://www.debian.org/security/2016/dsa-3733
- https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467

How to upgrade from the insecure apt-get version 1.0.9.8.3 to the
patched apt-get version 1.0.9.8.4 without being compromised during that
upgrade?

Is it possible to disable InRelease processing by apt-get [for that
upgrade or generally]? And have it check Release.gpg (which is provided
anyway) instead?

Reply to:

Follow-Ups:
- Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
  - From: SZÉPE Viktor <viktor@szepe.net>
- Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
  - From: Paul Wise <pabs@debian.org>
- Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
  - From: Julian Andres Klode <jak@debian.org>

Prev by Date: Call for testing: upcoming xen security update
Next by Date: Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Previous by thread: Call for testing: upcoming xen security update
Next by thread: Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Index(es):
- Date
- Thread