[Whonix-devel] qubes-linux-template-builder Debian apt-get --force-yes --yes security issue?
Patrick Schleizer
adrelanos at riseup.net
Tue Apr 28 00:26:44 CEST 2015
Hi!
From
qubes-linux-template-builder/scripts_debian/vars.sh
https://github.com/QubesOS/qubes-builder-debian/blob/33109b3ed425fc5c590b5e551ed4739373076609/template_qubuntu/vars.sh#L25
APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes --yes"
Could be a security issue. The combination of --force-yes and --yes is
insecure. Could lead to installation of unsigned packages.
Concluded that by reading the source and by remembering a bug report
against a similar Debian image build script where I did some testing.
- https://github.com/grml/grml-debootstrap/issues/62
-
https://www.whonix.org/wiki/Dev/apt-get#apt-get_Install_Signed_vs_Unsigned_Packages
I didn't actually test here but I find this quite possible. Highly
recommend to drop the --force-yes.
Cheers,
Patrick
More information about the Whonix-devel
mailing list