Re: [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

On 12/19/2016 06:26 PM, Patrick Schleizer wrote: What about Debian graphical installer security? Isn't that in meanwhile the ideal target for exploitation for targeted attacks? Because it will take a while until the Debian point release with fixed apt. And during the gui installer, the output

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

What about Debian graphical installer security? Isn't that in meanwhile the ideal target for exploitation for targeted attacks? Because it will take a while until the Debian point release with fixed apt. And during the gui installer, the output of apt-get is not visible. And stuff during

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

On Sat, 17 Dec 2016, Hans-Christoph Steiner wrote: > One thing that would help a lot with future issues like this is to use > only encrypted connections in /etc/apt/sources.list. That can be either > HTTPS or a Tor Hidden Service .onion address. For in depth discussion > of this, see: You could

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

Patrick Schleizer: > Julian Andres Klode: >> (2) look at the InRelease file and see if it contains crap >> after you updated (if it looks OK, it's secure - you need >> fairly long lines to be able to break this) > > Thank you for that hint, Julian! > > Can you please elaborate on this?

Re: [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

On Sat, 2016-12-17 at 04:42 +0100, Marek Marczykowski-Górecki wrote: > On Sat, Dec 17, 2016 at 02:47:28AM +0100, David Kalnischkies wrote: > > In terms of stable (which seems to be what you are asking about) there > > is a trivial 99,9% shortcut: stable has no InRelease file for technical > >

Re: [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Sat, Dec 17, 2016 at 02:47:28AM +0100, David Kalnischkies wrote: > The provided exploit used a 1.3 GB big InRelease file for that, which > works with some confidence on a sufficiently memory-starved i386 system > if you can live with the fact

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

First things first: If you really want to pull packages by hand you need to pull libapt-pkg as the faulty code is in the apt library (aka it effects aptitude, synaptics, …). Updating apt only isn't changing anything… Second: The DSA unfortunately didn't mention apt-ftparchive – if you don't trust

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

On Fri, Dec 16, 2016 at 10:32:00PM +, Patrick Schleizer wrote: > Julian Andres Klode: > > (2) look at the InRelease file and see if it contains crap > > after you updated (if it looks OK, it's secure - you need > > fairly long lines to be able to break this) > > Thank you for that

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

Julian Andres Klode: > (2) look at the InRelease file and see if it contains crap > after you updated (if it looks OK, it's secure - you need > fairly long lines to be able to break this) Thank you for that hint, Julian! Can you please elaborate on this? (I am asking for Qubes and Whonix

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

Idézem/Quoting Geert Stappers : On Thu, Dec 15, 2016 at 09:43:59PM +0100, SZÉPE Viktor wrote: Quoting Patrick Schleizer : >Very short summary of the bug: >(my own words) During apt-get upgrading signature verification can be >tricked resulting in

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

Geert Stappers: > On Thu, Dec 15, 2016 at 09:43:59PM +0100, SZÉPE Viktor wrote: >> Quoting Patrick Schleizer : >> >>> Very short summary of the bug: >>> (my own words) During apt-get upgrading signature verification can be >>> tricked resulting in arbitrary package

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

On Thu, Dec 15, 2016 at 09:43:59PM +0100, SZÉPE Viktor wrote: > Quoting Patrick Schleizer : > > >Very short summary of the bug: > >(my own words) During apt-get upgrading signature verification can be > >tricked resulting in arbitrary package installation, system compromise.

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

On Fri, Dec 16, 2016 at 4:33 AM, Patrick Schleizer wrote: > Is it possible to disable InRelease processing by apt-get? The answer from #debian-apt is that there is no setting for this. Your options are: Use an intercepting proxy that replies with 404 to InRelease files. Do an apt update to

Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

Hello Patrick! You may download the new package http://security.debian.org/debian-security/pool/updates/main/a/apt/apt_1.0.9.8.4_amd64.deb (for amd64) and check its checksum https://packages.debian.org/jessie/amd64/apt/download $ sha256sum apt_1.0.9.8.4_amd64.deb

not getting compromised while applying apt-get upgrade for CVE-2016-1252

TLDR: Is it possible to disable InRelease processing by apt-get? Long: Very short summary of the bug: (my own words) During apt-get upgrading signature verification can be tricked resulting in arbitrary package installation, system compromise. sources: -