Package: virtinst Version: 1:1.4.0-5 I rediscovered a problem I found a couple of years ago, and thought I'd report it properly this time.
The problem is that "virt-install --location" does not verify checksums/signatures of what is downloaded, and is thus vulnerable to a network attack where someone replaces the kernel/initrd with a version that is malicious. As far as I know, there is no way to tell virt- install what checksums to expect. See earlier discussion here: https://www.redhat.com/archives/virt-tools -list/2015-April/msg00214.html Quoting the manpage which gives http-URLs to use: --location OPTIONS ... Debian http://ftp.us.debian.org/debian/dists/stable/main/instal ler-amd64/ Ubuntu http://us.archive.ubuntu.com/ubuntu/dists/wily/main/inst aller-amd64/ A workaround is to replace the recommended http URLs with https URLs. I checked that CA verification of the domain name works. This gives some protection, but far from a GnuPG-based verification that would be ideal. Run this command to see what is happening: virt-install --name foo --memory 500 --disk none --location http://deb. debian.org/debian/dists/stable/main/installer-amd64/ --noautoconsole -- debug /Simon
signature.asc
Description: This is a digitally signed message part
