[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

Patrick Schleizer:
> Julian Andres Klode:
>> (2) look at the InRelease file and see if it contains crap
>>     after you updated (if it looks OK, it's secure - you need
>>     fairly long lines to be able to break this)
> Thank you for that hint, Julian!
> Can you please elaborate on this? (I am asking for Qubes and Whonix
> (derivatives of Debian) build security purposes. [1])
> Could you please provide information on how long safe / unsafe lines are
> or how to detect them?
> Ideally could you please provide some sanity check command that could be
> used to detect malicious InRelease files such as 'find /var/lib/apt
> -name '*InRelease*' -size +2M' or so?
> The problem is,
> - debootstrap can only bootstrap from one source such as
> 'http://ftp.de.debian.org/debian' - which still contains vulnerable apt.
> (Correct me if I am wrong, I would hope to be wrong on that one.)
> - bootstrapping from 'http://security.debian.org' is not possible
> [contains only security updates, not a complete repository].
> - So in conclusion one has a chance to get compromised when
> bootstrapping from 'http://ftp.de.debian.org/debian' and then apt-get
> upgrading from 'http://security.debian.org'.
> Is there any way to break this cycle?
> Best regards,
> Patrick
> [1] https://github.com/QubesOS/qubes-issues/issues/2520

One thing that would help a lot with future issues like this is to use
only encrypted connections in /etc/apt/sources.list.  That can be either
HTTPS or a Tor Hidden Service .onion address.  For in depth discussion
of this, see:

* https://labs.riseup.net/code/issues/8143



For the official Debian Tor Hidden Service addresses including apt
mirrors, see:


Reply to: