[Whonix-devel] [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252
marmarek at invisiblethingslab.com
Sat Dec 17 00:28:41 CET 2016
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, Dec 17, 2016 at 12:20:04AM +0100, Julian Andres Klode wrote:
> On Fri, Dec 16, 2016 at 10:32:00PM +0000, Patrick Schleizer wrote:
> > Could you please provide information on how long safe / unsafe lines are
> > or how to detect them?
> > Ideally could you please provide some sanity check command that could be
> > used to detect malicious InRelease files such as 'find /var/lib/apt
> > -name '*InRelease*' -size +2M' or so?
> Checking that wc -L (longest line) of the release file is reasonably small
> (like 256, 512, or 1024) should be enough. Currently, it's about 140 chars
> for unstable.
wc -L seems like a good one-liner, thanks!
> > The problem is,
> > - debootstrap can only bootstrap from one source such as
> > 'http://ftp.de.debian.org/debian' - which still contains vulnerable apt.
> > (Correct me if I am wrong, I would hope to be wrong on that one.)
> Right now yes. That will contain a new APT in a point release. That said,
> there might be issues in debootstrap's Release file verification, someone
> should check that...
It looks like it uses Release.gpg, so this bug do not apply, right?
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Whonix-devel