Hi, In data sabato 22 settembre 2018 22:51:36 CET, hai scritto: > Package: virtinst > Version: 1:1.4.0-5 > > I rediscovered a problem I found a couple of years ago, and thought I'd > report it properly this time. > > The problem is that "virt-install --location" does not verify > checksums/signatures of what is downloaded, and is thus vulnerable to a > network attack where someone replaces the kernel/initrd with a version > that is malicious. As far as I know, there is no way to tell virt- > install what checksums to expect. > > See earlier discussion here: https://www.redhat.com/archives/virt-tools > -list/2015-April/msg00214.html > > Quoting the manpage which gives http-URLs to use: > > --location OPTIONS > ... > Debian > http://ftp.us.debian.org/debian/dists/stable/main/instal > ler-amd64/ > > Ubuntu > http://us.archive.ubuntu.com/ubuntu/dists/wily/main/inst > aller-amd64/ > > A workaround is to replace the recommended http URLs with https URLs. > I checked that CA verification of the domain name works. This gives > some protection, but far from a GnuPG-based verification that would be > ideal.
Upstream switched to https URLs with two commits: - a712549b2b9b0100907878fea18442be68b8d35f [1] - b1460ba0654c00527c8d5632d69b30c7030dc182 [2] which are both available in virt-manager 2.0.0. Note that even before the above fixes it was possible to pass https URLs to the installer location. Also, the upstream bug rh#1632132 [3] was recently closed, also for low priorities and not much interest shown in it. I'd tend to close this bug as well, however I'm not strongly for it. [1] https://github.com/virt-manager/virt-manager/commit/a712549b2b9b0100907878fea18442be68b8d35f [2] https://github.com/virt-manager/virt-manager/commit/b1460ba0654c00527c8d5632d69b30c7030dc182 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1632132 -- Pino Toscano
signature.asc
Description: This is a digitally signed message part.