Am 25.04.20 um 15:38 schrieb Elmar Stellnberger:
Dear readers of the debian-security mailing listThe first time I had lost my new coreboot i7 notebook when I plugged a vfat formatted usb stick into the notebook run merely offline where I developed the a̅tea. Suddenly low level operating system errors appeared and since a power off/power on it refuses to boot from any media: internal m2 and usb. The notebook is thus unusable. I have sent the computer for repair but I got it back in the exactly the same condition. If you like you can read https://www.elstel.org/uploads/laptop-note.pdf. It contains an error description (I have written it with my typewriter and the company scanned the document). Consequently I thought that there would be an arbitrary code execution bug in the vfat file system. I prepared an USB stick, created an msdos partition table with 7 partitions and used tar to read and write from the partitions (20-blueusb.rules). However it turned out sooner and later that this also caused arbitrary code executions. It made my offline Debian installation where I run an Apache server to create content for elstel.org several times unusable. I simply could not believe it. A program as simple as tar should not contain an arbitrary code execution bug! There was no other way the system could get in touch with the outside so the usb stick was definitely at fault. Today I have finally used cat and dd to stitch three text files together and read them back from a partition. That way I have avoided to use tar. It was on my most secure system which normally does not have any contact to other computers at all because the system with the Apache server for elstel.org was unsuable for another time. And see there I got the exactly same result without tar: After unexplainable operating system errors the system does not boot as soon as any SATA drive is attached. Flashing the BIOS does not help against this kind of error as there is also other firmware. I have seen 3 of my Kingston USB readers manipulated to not read a certain sdcard while 3 other readers of the same type and same shipping locked in a box did still read it (sdcard blue ray image to install a clean Debian10). Obviously the firmware of that device was altered. As with the USB card reader a computer has many devices each with its own firmware which can be altered to damage a computer. This time I am at loss. If I can not plug in an USB stick there is apparently ¿almost? no safe way to communicate with that computer. There needs to be an arbitrary code execution bug hidden in the kernel which gets executed as soon as a partition table is read in. As I do not have
I do not believe the problem is about the msdos partition table as this one is even more simple than invoking tar. But there could (and finally needs) to be hidden something in the usb mass storage driver?!
any filesystem on that USB stick and I have automounting disabled that should not be due to filesystem probing. As my experience with bug reporting at the Firefox browser I am quite sure at least some of them are bought by secret services due to their unwillingness to fix flagrant bugs. However I would never have believed this could be the case with the Linux kernel. A kernel developer could perhaps help me if he said what code exactly got executed on plugging in an USB stick. Finally I would need to use another operating system but I can´t as there is no other distribution than Debian which offers a blue ray image for offline installation. Downloading singleton files in a batch via tor is conspicuous to secret services and thus not viable. They would simply alter the download as they have done many times. I wonder how the people at the Iranian nuclear progam do their things?Yours Sincerely, Elmar Stellnberger