[Whonix-devel] not getting compromised while applying apt-get upgrade for CVE-2016-1252

Patrick Schleizer adrelanos at riseup.net
Fri Dec 16 23:32:00 CET 2016

Julian Andres Klode:
> (2) look at the InRelease file and see if it contains crap
>     after you updated (if it looks OK, it's secure - you need
>     fairly long lines to be able to break this)

Thank you for that hint, Julian!

Can you please elaborate on this? (I am asking for Qubes and Whonix
(derivatives of Debian) build security purposes. [1])

Could you please provide information on how long safe / unsafe lines are
or how to detect them?

Ideally could you please provide some sanity check command that could be
used to detect malicious InRelease files such as 'find /var/lib/apt
-name '*InRelease*' -size +2M' or so?

The problem is,

- debootstrap can only bootstrap from one source such as
'http://ftp.de.debian.org/debian' - which still contains vulnerable apt.
(Correct me if I am wrong, I would hope to be wrong on that one.)

- bootstrapping from 'http://security.debian.org' is not possible
[contains only security updates, not a complete repository].

- So in conclusion one has a chance to get compromised when
bootstrapping from 'http://ftp.de.debian.org/debian' and then apt-get
upgrading from 'http://security.debian.org'.

Is there any way to break this cycle?

Best regards,

[1] https://github.com/QubesOS/qubes-issues/issues/2520

More information about the Whonix-devel mailing list