[Whonix-devel] [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

Sat Dec 17 00:28:41 CET 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sat, Dec 17, 2016 at 12:20:04AM +0100, Julian Andres Klode wrote:
> On Fri, Dec 16, 2016 at 10:32:00PM +0000, Patrick Schleizer wrote:
> > Could you please provide information on how long safe / unsafe lines are
> > or how to detect them?
> > 
> > Ideally could you please provide some sanity check command that could be
> > used to detect malicious InRelease files such as 'find /var/lib/apt
> > -name '*InRelease*' -size +2M' or so?
> 
> Checking that wc -L (longest line) of the release file is reasonably small
> (like 256, 512, or 1024) should be enough. Currently, it's about 140 chars
> for unstable.

wc -L seems like a good one-liner, thanks!

> > The problem is,
> > 
> > - debootstrap can only bootstrap from one source such as
> > 'http://ftp.de.debian.org/debian' - which still contains vulnerable apt.
> > (Correct me if I am wrong, I would hope to be wrong on that one.)
> 
> Right now yes. That will contain a new APT in a point release. That said,
> there might be issues in debootstrap's Release file verification, someone
> should check that...

It looks like it uses Release.gpg, so this bug do not apply, right?

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYVHioAAoJENuP0xzK19csiL8IAIetZlBLlR8EiNvDouC1SRjw
c028w+CB5+YOA8RUukwtgaoljpaHnPGZ67BFKTgw2UKq5Srk+LVebPOOKXBrYRAA
h7Ku+nzhVIYagHAbqYQ1ZqsmWyI7JK1y0PjyDtdnp2RGQONWr1llP/gju9dVg5sg
ABv2CUeH0+/RRNuTFXxP2MBeciwaWfHxfEVgSvxhRLlZUqiNblcZqi4YAWNET/WU
kfe5ntASdCbcs+kjk0GTB0I8EmDp/lj4uH2Y+hI6eVuOYmoFTxNkkth2pf7gQfv9
0lePfhnaEpKbuyMAP6SIkYk0kq92iL796y2Hk2JPE4CgjBJ7LzCXD3qBG8LmZQ8=
=jN+8
-----END PGP SIGNATURE-----