[Whonix-devel] [qubes-devel] apt RCE

Patrick Schleizer patrick-mailinglists at whonix.org
Wed Jan 23 11:02:00 CET 2019

Many users already upgraded APT in a vulnerable way without ever knowing
about this issue.

What about introducing a security on/off switch that a subset of Qubes
developers can trigger?

Before apt-get (or other package manager) does actually anything, a
simple script could fetch a file from Qubes clearnet domain (and/or
onion) and ask "is it currently secure to update"?

In most cases, the server would provide a cryptographically signed file
by a Qubes developer which says "ok". Otherwise in situations such as
now with APT security vulnerability DSA 4371-1 a Qubes developer could
put a cryptographically signed file saying "not safe" there. In such
cases, updates would be blocked until a new file is provided.

Things to keep in mind related to such a file: man-in-the-middle attack
- infinite freeze atttacks; rollback attacks; perhaps more. Can think
about this more if this sounds interesting.

Of course there should be options to:

- disable this mechanism entirely
- manually override by user

These override option is useful for:

- to stay flexible in case of bugs of this mechanism itself and,
- to not give Qubes developers too much power. No advanced adversary
should be able to ask Qubes developers to remotely brick all Qubes
installations (mostly theoretic at this point and not important for now
but still easy to implement and good to have),
- other unforeseeable things.

This idea could be seen as a subset of the emergency project news
mechanism that is currently missing in all distributions. In short:
distributions have no mechanism to communicate with their users
effectively in situations such as this one. More info:



More information about the Whonix-devel mailing list