On Fri, Dec 16, 2016 at 10:32:00PM +0000, Patrick Schleizer wrote: > Julian Andres Klode: > > (2) look at the InRelease file and see if it contains crap > > after you updated (if it looks OK, it's secure - you need > > fairly long lines to be able to break this) > > Thank you for that hint, Julian! > > Can you please elaborate on this? (I am asking for Qubes and Whonix > (derivatives of Debian) build security purposes. [1])
I added some details in that referenced bug :) > > Could you please provide information on how long safe / unsafe lines are > or how to detect them? > > Ideally could you please provide some sanity check command that could be > used to detect malicious InRelease files such as 'find /var/lib/apt > -name '*InRelease*' -size +2M' or so? Checking that wc -L (longest line) of the release file is reasonably small (like 256, 512, or 1024) should be enough. Currently, it's about 140 chars for unstable. > > The problem is, > > - debootstrap can only bootstrap from one source such as > 'http://ftp.de.debian.org/debian' - which still contains vulnerable apt. > (Correct me if I am wrong, I would hope to be wrong on that one.) Right now yes. That will contain a new APT in a point release. That said, there might be issues in debootstrap's Release file verification, someone should check that... -- Debian Developer - deb.li/jak | jak-linux.org - free software dev | Ubuntu Core Developer | When replying, only quote what is necessary, and write each reply directly below the part(s) it pertains to ('inline'). Thank you.
