-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sat, Dec 17, 2016 at 02:47:28AM +0100, David Kalnischkies wrote: > The provided exploit used a 1.3 GB big InRelease file for that, which > works with some confidence on a sufficiently memory-starved i386 system > if you can live with the fact that this works only 1/4 of the time as > the rest of the time it will fail (or not) at the wrong moment resulting > in errors from apt. More recent (>= 1.1) apt versions bail if > a (In)Release file is larger than 10 MB which is further complicating > things. A good attacker therefore likely needs a way to put the machine > in a memory-starved state on demand – like DoS the webserver running on > the same box at the right moment. Timing and luck is really important.
So, with apt >= 1.1 it is very unlikely (at least) to affect client, 64-bit system, right? In practice even older apt (stable) on 64-bit is hard to exploit, but not unthinkable (will probably require larger file and careful targeting for particular memory size; and a lot of luck), right? (...) > In terms of stable (which seems to be what you are asking about) there > is a trivial 99,9% shortcut: stable has no InRelease file for technical > reasons ATM, so something is fishy if you get one (aka apt should > display Ign lines).² Not fully true: http://security.debian.org/dists/jessie/updates/InRelease Anyway `wc -L` pointed earlier should do the trick. > ¹ Its complicated as many different code parts are interacting here, so > simply storing the split-result wasn't as easy as it sounds. The acquire > system rewrite we performed the last few years should make that possible > now. I wanted to look into that anyhow, just have to find the time as it > is still not as easy as it sounds. Just likely "possible". Good to know. Thanks for detailed answer. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYVLQmAAoJENuP0xzK19csEWYH+QGQ/ckrtFBYqnEg0yH3JRxI v5gFkiIEYKGVN94k+dRY+PRIJe+8AmD8p9AGyWGcA7+0lt8vR0l8djfGIkBTsZCa udcrVWRmlPf1jI0JypH+xm+1dUNOucy/E7+gcqkXy/AiBqfRcaR9vsRGvYgOfd+a i42CqHcQ3+QhGRO8mNEaIBXJr4leADZ5lRoddsFD/D4GQ5tR/xPnrVsZZhMbbPRW aUYaYZW2dqabNq1i5UJVWHXYNE/IcgMolvzC9mFSxGDDt7wALBhe8eqbADQdmTr2 9OaD8ptREZPB/ufg8jp1PN7qzw+lNUnL+3E1ZwzqwKfm4hCbfWZ+QEN6Sa4oWOI= =xVA9 -----END PGP SIGNATURE-----
