[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

On Fri, Dec 16, 2016 at 10:32:00PM +0000, Patrick Schleizer wrote:
> Julian Andres Klode:
> > (2) look at the InRelease file and see if it contains crap
> >     after you updated (if it looks OK, it's secure - you need
> >     fairly long lines to be able to break this)
> Thank you for that hint, Julian!
> Can you please elaborate on this? (I am asking for Qubes and Whonix
> (derivatives of Debian) build security purposes. [1])

I  added some details in that referenced bug :)

> Could you please provide information on how long safe / unsafe lines are
> or how to detect them?
> Ideally could you please provide some sanity check command that could be
> used to detect malicious InRelease files such as 'find /var/lib/apt
> -name '*InRelease*' -size +2M' or so?

Checking that wc -L (longest line) of the release file is reasonably small
(like 256, 512, or 1024) should be enough. Currently, it's about 140 chars
for unstable.

> The problem is,
> - debootstrap can only bootstrap from one source such as
> 'http://ftp.de.debian.org/debian' - which still contains vulnerable apt.
> (Correct me if I am wrong, I would hope to be wrong on that one.)

Right now yes. That will contain a new APT in a point release. That said,
there might be issues in debootstrap's Release file verification, someone
should check that...

Debian Developer - deb.li/jak | jak-linux.org - free software dev
                  |  Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline').  Thank you.

Reply to: