Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
On Fri, Dec 16, 2016 at 10:32:00PM +0000, Patrick Schleizer wrote:
> Julian Andres Klode:
> > (2) look at the InRelease file and see if it contains crap
> > after you updated (if it looks OK, it's secure - you need
> > fairly long lines to be able to break this)
>
> Thank you for that hint, Julian!
>
> Can you please elaborate on this? (I am asking for Qubes and Whonix
> (derivatives of Debian) build security purposes. [1])
I added some details in that referenced bug :)
>
> Could you please provide information on how long safe / unsafe lines are
> or how to detect them?
>
> Ideally could you please provide some sanity check command that could be
> used to detect malicious InRelease files such as 'find /var/lib/apt
> -name '*InRelease*' -size +2M' or so?
Checking that wc -L (longest line) of the release file is reasonably small
(like 256, 512, or 1024) should be enough. Currently, it's about 140 chars
for unstable.
>
> The problem is,
>
> - debootstrap can only bootstrap from one source such as
> 'http://ftp.de.debian.org/debian' - which still contains vulnerable apt.
> (Correct me if I am wrong, I would hope to be wrong on that one.)
Right now yes. That will contain a new APT in a point release. That said,
there might be issues in debootstrap's Release file verification, someone
should check that...
--
Debian Developer - deb.li/jak | jak-linux.org - free software dev
| Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline'). Thank you.
Reply to: