Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

To: Geert Stappers <stappers@stappers.nl>, debian-security@lists.debian.org
Subject: Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
From: Patrick Schleizer <adrelanos@riseup.net>
Date: Fri, 16 Dec 2016 14:19:00 +0000
Message-id: <[🔎] 9c6980b4-8618-7e78-fcb1-f2d4b94b0732@riseup.net>
In-reply-to: <[🔎] 20161216055310.GE3943@gpm.stappers.nl>
References: <[🔎] becd96d1-1196-8a44-a516-e8e2b0df2fd1@riseup.net> <[🔎] 20161215214359.Horde.czbd_QgP4ghLHt0DXp19_GM@szepe.net> <[🔎] 20161216055310.GE3943@gpm.stappers.nl>

Geert Stappers:
> On Thu, Dec 15, 2016 at 09:43:59PM +0100, SZÉPE Viktor wrote:
>> Quoting Patrick Schleizer <adrelanos@riseup.net>:
>>
>>> Very short summary of the bug:
>>> (my own words) During apt-get upgrading signature verification can be
>>> tricked resulting in arbitrary package installation, system compromise.
>>>
>>> - https://security-tracker.debian.org/tracker/CVE-2016-1252
>>> - https://www.debian.org/security/2016/dsa-3733
>>> - https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1647467
>>>
>>> How to upgrade from the insecure apt-get version 1.0.9.8.3 to the
>>> patched apt-get version 1.0.9.8.4 without being compromised during that
>>> upgrade?
>>>
>>
>> You may download the new package
>> http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.4_amd64.deb
>> (for amd64)
> 
> By the command
> 
> wget http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.4_amd64.deb
> 
> 
>> and check its checksum
>> https://packages.debian.org/jessie/amd64/apt/download
>>
>> $ sha256sum apt_1.0.9.8.4_amd64.deb
>>
>> f40e51afbbcf2b1e23442c4c3df064a02ddc27bdfbfb155839577dcb1dedb74a
>>
> 
> Then the acual install
> 
> sudo dpkg --install apt_1.0.9.8.4_amd64.deb
> 
> Which might yield (due my test on a non-up-to-date-system)
> 
> (Reading database ... 42686 files and directories currently installed.)
> Preparing to replace apt 1.0.9.8.4 (using apt_1.0.9.8.4_amd64.deb) ...
> Unpacking replacement apt ...
> dpkg: dependency problems prevent configuration of apt:
>  apt depends on libapt-pkg4.12 (>= 1.0.9.8.4); however:
>   Version of libapt-pkg4.12:amd64 on system is 0.9.7.9+deb7u6.
>  apt depends on libc6 (>= 2.15); however:
>   Version of libc6:amd64 on system is 2.13-38+deb7u8.
>  apt depends on libstdc++6 (>= 4.9); however:
>   Version of libstdc++6:amd64 on system is 4.7.2-5.
> 
> dpkg: error processing apt (--install):
>  dependency problems - leaving unconfigured
> Processing triggers for man-db ...
> Errors were encountered while processing:
>  apt
> 
> 
> 
> 
> Groeten
> Geert Stappers
> 

Need to do this for all 'apt'ish packages.

https://www.whonix.org/wiki/CVE-2016-1252

Reply to:

References:
- not getting compromised while applying apt-get upgrade for CVE-2016-1252
  - From: Patrick Schleizer <adrelanos@riseup.net>
- Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
  - From: SZÉPE Viktor <viktor@szepe.net>
- Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
  - From: Geert Stappers <stappers@stappers.nl>

Prev by Date: Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Next by Date: Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Previous by thread: Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Next by thread: Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Index(es):
- Date
- Thread