Steven Chamberlain: > Package: release.debian.org > User: release.debian....@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: debian-b...@lists.debian.org > > Hi! > > Attached are proposed debdiffs for anna, cdebootstrap and their > dependency libdebian-installer (Bug #856210). > > Would the release team be willing to grant unblocks for these? > (It would also require an ACK from the d-i release manager). >
The changes have my blessing (with a remark further down). (Quoted in full for KiBi's sake as I wasn't sure he had seen this) > In the installer, net-retriever verifies the Release file with SHA256, > but anna only validates the .udeb files with MD5, which was surprising. > The .udeb files are extracted and then their contents may be executed > with full privileges during the install (Bug #856211). > > netboot images typically fetch .udeb files over unsecured HTTP. Other > install media bundles those so they need not be downloaded, but it could > still happen if networking is configured during the install and a > network mirror has newer versions of any required .udeb files. (Some > .udeb files are retrieved later, after installing the base system). > > If not already considered a grave security flaw, it might be during the > lifetime of stretch (-2022?). Even if fixed in a point release, any > install media created before then would remain vulnerable. > > The changes to libdebian-installer are ABI-compatible, such that only > reverse-dependencies that use the md5sum field should be affected > (thought to be just anna and cdebootstrap). They would FTBFS until > patched, and already-built binaries would report a "md5sum mismatch" if > they used this new version of the library at run-time, since the new > SHA256 hashes would not match the MD5 hashes they expect. > > unblock libdebian-installer/0.109 > unblock anna/1.58 > unblock cdebootstrap/0.7.7 > > Thanks! > > [...] Strictly speaking, the ".deb" variants of libdebian-installer would need a "Breaks" and the rdeps a versioned Depends. I am not entirely sure if that is applicable for the udeb variants, but I assume KiBi got that covered if he approves the change. Thanks, ~Niels
