Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

To: Patrick Schleizer <adrelanos@riseup.net>
Cc: debian-security@lists.debian.org, deity@lists.debian.org, "qubes-devel@googlegroups.com" <qubes-devel@googlegroups.com>, Whonix-devel <whonix-devel@whonix.org>
Subject: Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
From: Julian Andres Klode <jak@debian.org>
Date: Sat, 17 Dec 2016 00:20:04 +0100
Message-id: <[🔎] 20161217001718.GA9401@debian.org>
Mail-followup-to: Patrick Schleizer <adrelanos@riseup.net>, debian-security@lists.debian.org, deity@lists.debian.org, "qubes-devel@googlegroups.com" <qubes-devel@googlegroups.com>, Whonix-devel <whonix-devel@whonix.org>
In-reply-to: <[🔎] 735685eb-5968-79ae-e22f-71d0d2fd9c56@riseup.net>
References: <[🔎] 20161216003213.GA26904@debian.org> <[🔎] 735685eb-5968-79ae-e22f-71d0d2fd9c56@riseup.net>

On Fri, Dec 16, 2016 at 10:32:00PM +0000, Patrick Schleizer wrote:
> Julian Andres Klode:
> > (2) look at the InRelease file and see if it contains crap
> >     after you updated (if it looks OK, it's secure - you need
> >     fairly long lines to be able to break this)
> 
> Thank you for that hint, Julian!
> 
> Can you please elaborate on this? (I am asking for Qubes and Whonix
> (derivatives of Debian) build security purposes. [1])

I  added some details in that referenced bug :)

> 
> Could you please provide information on how long safe / unsafe lines are
> or how to detect them?
> 
> Ideally could you please provide some sanity check command that could be
> used to detect malicious InRelease files such as 'find /var/lib/apt
> -name '*InRelease*' -size +2M' or so?

Checking that wc -L (longest line) of the release file is reasonably small
(like 256, 512, or 1024) should be enough. Currently, it's about 140 chars
for unstable.

> 
> The problem is,
> 
> - debootstrap can only bootstrap from one source such as
> 'http://ftp.de.debian.org/debian' - which still contains vulnerable apt.
> (Correct me if I am wrong, I would hope to be wrong on that one.)

Right now yes. That will contain a new APT in a point release. That said,
there might be issues in debootstrap's Release file verification, someone
should check that...


-- 
Debian Developer - deb.li/jak | jak-linux.org - free software dev
                  |  Ubuntu Core Developer |
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to ('inline').  Thank you.

Reply to:

Follow-Ups:
- Re: [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
  - From: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>

References:
- Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
  - From: Julian Andres Klode <jak@debian.org>
- Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
  - From: Patrick Schleizer <adrelanos@riseup.net>

Prev by Date: Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Next by Date: Re: [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Previous by thread: Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Next by thread: Re: [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Index(es):
- Date
- Thread