Hi,
In data sabato 22 settembre 2018 22:51:36 CET, hai scritto:
> Package: virtinst
> Version: 1:1.4.0-5
>
> I rediscovered a problem I found a couple of years ago, and thought I'd
> report it properly this time.
>
> The problem is that "virt-install --location" does not verify
> checksums/signatures of what is downloaded, and is thus vulnerable to a
> network attack where someone replaces the kernel/initrd with a version
> that is malicious. As far as I know, there is no way to tell virt-
> install what checksums to expect.
>
> See earlier discussion here: https://www.redhat.com/archives/virt-tools
> -list/2015-April/msg00214.html
>
> Quoting the manpage which gives http-URLs to use:
>
>--location OPTIONS
> ...
>Debian
>http://ftp.us.debian.org/debian/dists/stable/main/instal
> ler-amd64/
>
>Ubuntu
>http://us.archive.ubuntu.com/ubuntu/dists/wily/main/inst
> aller-amd64/
>
> A workaround is to replace the recommended http URLs with https URLs.
> I checked that CA verification of the domain name works. This gives
> some protection, but far from a GnuPG-based verification that would be
> ideal.
Upstream switched to https URLs with two commits:
- a712549b2b9b0100907878fea18442be68b8d35f [1]
- b1460ba0654c00527c8d5632d69b30c7030dc182 [2]
which are both available in virt-manager 2.0.0.
Note that even before the above fixes it was possible to pass https
URLs to the installer location.
Also, the upstream bug rh#1632132 [3] was recently closed, also for
low priorities and not much interest shown in it. I'd tend to close
this bug as well, however I'm not strongly for it.
[1]
https://github.com/virt-manager/virt-manager/commit/a712549b2b9b0100907878fea18442be68b8d35f
[2]
https://github.com/virt-manager/virt-manager/commit/b1460ba0654c00527c8d5632d69b30c7030dc182
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1632132
--
Pino Toscano
signature.asc
Description: This is a digitally signed message part.
