[Whonix-devel] [qubes-devel] apt RCE

[Marek Marczykowski-Górecki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Wed, Jan 23, 2019 at 10:02:00AM +0000, Patrick Schleizer wrote:
> Many users already upgraded APT in a vulnerable way without ever knowing
> about this issue.
> 
> What about introducing a security on/off switch that a subset of Qubes
> developers can trigger?
> 
> Before apt-get (or other package manager) does actually anything, a
> simple script could fetch a file from Qubes clearnet domain (and/or
> onion) and ask "is it currently secure to update"?
> 
> In most cases, the server would provide a cryptographically signed file
> by a Qubes developer which says "ok". Otherwise in situations such as
> now with APT security vulnerability DSA 4371-1 a Qubes developer could
> put a cryptographically signed file saying "not safe" there. In such
> cases, updates would be blocked until a new file is provided.
> 
> Things to keep in mind related to such a file: man-in-the-middle attack
> - infinite freeze atttacks; rollback attacks; perhaps more. Can think
> about this more if this sounds interesting.
> 
> Of course there should be options to:
> 
> - disable this mechanism entirely
> - manually override by user
> 
> These override option is useful for:
> 
> - to stay flexible in case of bugs of this mechanism itself and,
> - to not give Qubes developers too much power. No advanced adversary
> should be able to ask Qubes developers to remotely brick all Qubes
> installations (mostly theoretic at this point and not important for now
> but still easy to implement and good to have),
> - other unforeseeable things.

While such mechanism in this particular case could be useful, generally
I think it makes more harm than good. Potential of breaking updates
completely is too big, either by a bug in such mechanism, or someone
attacking this mechanism itself. Having a single point of failure
blocking (potentially) all updates for all templates (and maybe even
dom0) doesn't sound good.

> This idea could be seen as a subset of the emergency project news
> mechanism that is currently missing in all distributions. In short:
> distributions have no mechanism to communicate with their users
> effectively in situations such as this one. More info:
> 
> https://www.whonix.org/wiki/Dev/project-news
> 
> Cheers,
> Patrick
> 

- -- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlxIemAACgkQ24/THMrX
1yz4HQf/QEzPlS+WkX1kjF3xT7FRx273Aj8sJWBwncTNO6QTPk2dLO5Qyomfo4vi
7106DJa4iRcEBrRFU+rCsAoXYWAL/eFRCIVr6XxYLez3y4aX3qaF9aOfRV7PBKEg
FUZcTHvAsY980sYA1ZM7OEYwDXgxU4Jqo1HkVqFE5FjjmXUy7QEWBvDJWIbcOTBz
deEflNglvbsMvYsTe/TAEfJ4p34n7NsxzMZJWxZeOPATdZcr6zZYweBpp6heBqtS
LElp7/dtO0ac6p4PqSkfDbyXxPAe8Ucf14TSXY/2XnO/D8PJ1cqhG6LC0e6J+4ey
a03uzaxddh3Iv9DPrg+RpoQXpZkS/w==
=pPkF
-----END PGP SIGNATURE-----