[Whonix-devel] [qubes-devel] Re: not getting compromised while applying apt-get upgrade for CVE-2016-1252

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sat, Dec 17, 2016 at 02:47:28AM +0100, David Kalnischkies wrote:
> The provided exploit used a 1.3 GB big InRelease file for that, which
> works with some confidence on a sufficiently memory-starved i386 system
> if you can live with the fact that this works only 1/4 of the time as
> the rest of the time it will fail (or not) at the wrong moment resulting
> in errors from apt. More recent (>= 1.1) apt versions bail if
> a (In)Release file is larger than 10 MB which is further complicating
> things. A good attacker therefore likely needs a way to put the machine
> in a memory-starved state on demand – like DoS the webserver running on
> the same box at the right moment. Timing and luck is really important.

So, with apt >= 1.1 it is very unlikely (at least) to affect client,
64-bit system, right?
In practice even older apt (stable) on 64-bit is hard to exploit, but
not unthinkable (will probably require larger file and careful
targeting for particular memory size; and a lot of luck), right?

(...)

> In terms of stable (which seems to be what you are asking about) there
> is a trivial 99,9% shortcut: stable has no InRelease file for technical
> reasons ATM, so something is fishy if you get one (aka apt should
> display Ign lines).²

Not fully true:
http://security.debian.org/dists/jessie/updates/InRelease

Anyway `wc -L` pointed earlier should do the trick.

> ¹ Its complicated as many different code parts are interacting here, so
> simply storing the split-result wasn't as easy as it sounds. The acquire
> system rewrite we performed the last few years should make that possible
> now. I wanted to look into that anyhow, just have to find the time as it
> is still not as easy as it sounds. Just likely "possible".

Good to know.

Thanks for detailed answer.

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYVLQmAAoJENuP0xzK19csEWYH+QGQ/ckrtFBYqnEg0yH3JRxI
v5gFkiIEYKGVN94k+dRY+PRIJe+8AmD8p9AGyWGcA7+0lt8vR0l8djfGIkBTsZCa
udcrVWRmlPf1jI0JypH+xm+1dUNOucy/E7+gcqkXy/AiBqfRcaR9vsRGvYgOfd+a
i42CqHcQ3+QhGRO8mNEaIBXJr4leADZ5lRoddsFD/D4GQ5tR/xPnrVsZZhMbbPRW
aUYaYZW2dqabNq1i5UJVWHXYNE/IcgMolvzC9mFSxGDDt7wALBhe8eqbADQdmTr2
9OaD8ptREZPB/ufg8jp1PN7qzw+lNUnL+3E1ZwzqwKfm4hCbfWZ+QEN6Sa4oWOI=
=xVA9
-----END PGP SIGNATURE-----