Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
Patrick Schleizer:
> Julian Andres Klode:
>> (2) look at the InRelease file and see if it contains crap
>> after you updated (if it looks OK, it's secure - you need
>> fairly long lines to be able to break this)
>
> Thank you for that hint, Julian!
>
> Can you please elaborate on this? (I am asking for Qubes and Whonix
> (derivatives of Debian) build security purposes. [1])
>
> Could you please provide information on how long safe / unsafe lines are
> or how to detect them?
>
> Ideally could you please provide some sanity check command that could be
> used to detect malicious InRelease files such as 'find /var/lib/apt
> -name '*InRelease*' -size +2M' or so?
>
> The problem is,
>
> - debootstrap can only bootstrap from one source such as
> 'http://ftp.de.debian.org/debian' - which still contains vulnerable apt.
> (Correct me if I am wrong, I would hope to be wrong on that one.)
>
> - bootstrapping from 'http://security.debian.org' is not possible
> [contains only security updates, not a complete repository].
>
> - So in conclusion one has a chance to get compromised when
> bootstrapping from 'http://ftp.de.debian.org/debian' and then apt-get
> upgrading from 'http://security.debian.org'.
>
> Is there any way to break this cycle?
>
> Best regards,
> Patrick
>
> [1] https://github.com/QubesOS/qubes-issues/issues/2520
>
One thing that would help a lot with future issues like this is to use
only encrypted connections in /etc/apt/sources.list. That can be either
HTTPS or a Tor Hidden Service .onion address. For in depth discussion
of this, see:
* https://labs.riseup.net/code/issues/8143
*
https://guardianproject.info/2016/07/31/howto-get-all-your-debian-packages-via-tor-onion-services/
*
https://guardianproject.info/2014/10/16/reducing-metadata-leakage-from-software-updates/
For the official Debian Tor Hidden Service addresses including apt
mirrors, see:
https://onion.debian.org/
.hc
Reply to: