[Whonix-devel] not getting compromised while applying apt-get upgrade for CVE-2016-1252
Patrick Schleizer
adrelanos at riseup.net
Fri Dec 16 23:32:00 CET 2016
Julian Andres Klode:
> (2) look at the InRelease file and see if it contains crap
> after you updated (if it looks OK, it's secure - you need
> fairly long lines to be able to break this)
Thank you for that hint, Julian!
Can you please elaborate on this? (I am asking for Qubes and Whonix
(derivatives of Debian) build security purposes. [1])
Could you please provide information on how long safe / unsafe lines are
or how to detect them?
Ideally could you please provide some sanity check command that could be
used to detect malicious InRelease files such as 'find /var/lib/apt
-name '*InRelease*' -size +2M' or so?
The problem is,
- debootstrap can only bootstrap from one source such as
'http://ftp.de.debian.org/debian' - which still contains vulnerable apt.
(Correct me if I am wrong, I would hope to be wrong on that one.)
- bootstrapping from 'http://security.debian.org' is not possible
[contains only security updates, not a complete repository].
- So in conclusion one has a chance to get compromised when
bootstrapping from 'http://ftp.de.debian.org/debian' and then apt-get
upgrading from 'http://security.debian.org'.
Is there any way to break this cycle?
Best regards,
Patrick
[1] https://github.com/QubesOS/qubes-issues/issues/2520
More information about the Whonix-devel
mailing list