qubes-linux-template-builder Debian apt-get --force-yes --yes security issue?
82 views
Skip to first unread message
Patrick Schleizer
Apr 27, 2015, 6:28:04 PM4/27/15
to qubes...@googlegroups.com, Whonix-devel, Patrick Schleizer
Hi!
From
qubes-linux-template-builder/scripts_debian/vars.sh
https://github.com/QubesOS/qubes-builder-debian/blob/33109b3ed425fc5c590b5e551ed4739373076609/template_qubuntu/vars.sh#L25
APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes --yes"
Could be a security issue. The combination of --force-yes and --yes is
insecure. Could lead to installation of unsigned packages.
Concluded that by reading the source and by remembering a bug report
against a similar Debian image build script where I did some testing.
- https://github.com/grml/grml-debootstrap/issues/62
-
https://www.whonix.org/wiki/Dev/apt-get#apt-get_Install_Signed_vs_Unsigned_Packages
I didn't actually test here but I find this quite possible. Highly
recommend to drop the --force-yes.
Cheers,
Patrick
From
qubes-linux-template-builder/scripts_debian/vars.sh
https://github.com/QubesOS/qubes-builder-debian/blob/33109b3ed425fc5c590b5e551ed4739373076609/template_qubuntu/vars.sh#L25
APT_GET_OPTIONS="-o Dpkg::Options::="--force-confnew" --force-yes --yes"
Could be a security issue. The combination of --force-yes and --yes is
insecure. Could lead to installation of unsigned packages.
Concluded that by reading the source and by remembering a bug report
against a similar Debian image build script where I did some testing.
- https://github.com/grml/grml-debootstrap/issues/62
-
https://www.whonix.org/wiki/Dev/apt-get#apt-get_Install_Signed_vs_Unsigned_Packages
I didn't actually test here but I find this quite possible. Highly
recommend to drop the --force-yes.
Cheers,
Patrick
nrgaway
Apr 27, 2015, 6:34:12 PM4/27/15
to whonix...@whonix.org, qubes...@googlegroups.com
Good catch. I will investigate it further. The purpose is the `--force-yes` is to all the over riding package configuration when initially building the template. Will see what happens without the force option.
Jason M
Apr 27, 2015, 8:52:48 PM4/27/15
to qubes...@googlegroups.com, whonix...@whonix.org
On Monday, 27 April 2015 18:34:12 UTC-4, Jason M wrote:
I removed the --force-yes option and everything seems to build fine still. I will submit a PR most likely tonight after some more testing has been completed.
Patrick Schleizer
May 2, 2015, 10:14:31 AM5/2/15
to Jason M, qubes...@googlegroups.com, whonix...@whonix.org
Jason M:
Any news on this?
Cheers,
Patrick
Cheers,
Patrick
Marek Marczykowski-Górecki
May 2, 2015, 10:18:13 AM5/2/15
to Patrick Schleizer, Jason M, qubes...@googlegroups.com, whonix...@whonix.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jason already submitted pull request with this change, but I haven't
merged it yet. Will do probably today or tomorrow.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVRNycAAoJENuP0xzK19csYAMH/0vi/XmbzVMfeur7u7thOZOi
v1AzwUjp3WjKu1qY35l2rntufF+r+ysi7SvAZo6Uj+B/LhDY7KSg8DzT7snKkEtm
BoEOR90/yR1Jzr2C3nUpW3jcs+O9zD4+s3MBBp4PSKQ0uvkLt4Pqrod0KSntyR/7
LQEEGLaxJsCL8vr584mwWt08JxhJCufahryWChi6if+kA9Db1hN0UdLV9hR1Arov
YPcn8qN6zPPv0BdKoFnEzt5F/XlNfPipEjSKJTMYAOmZRsikTr5psF7s/Krf3mZQ
E/lNokMVgyvtbJdU4g4woN99sOGjRqzcv3ANc4UQQ326Oj+5y1IR5j+wd1r6tZY=
=Tv/F
-----END PGP SIGNATURE-----
Hash: SHA1
merged it yet. Will do probably today or tomorrow.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJVRNycAAoJENuP0xzK19csYAMH/0vi/XmbzVMfeur7u7thOZOi
v1AzwUjp3WjKu1qY35l2rntufF+r+ysi7SvAZo6Uj+B/LhDY7KSg8DzT7snKkEtm
BoEOR90/yR1Jzr2C3nUpW3jcs+O9zD4+s3MBBp4PSKQ0uvkLt4Pqrod0KSntyR/7
LQEEGLaxJsCL8vr584mwWt08JxhJCufahryWChi6if+kA9Db1hN0UdLV9hR1Arov
YPcn8qN6zPPv0BdKoFnEzt5F/XlNfPipEjSKJTMYAOmZRsikTr5psF7s/Krf3mZQ
E/lNokMVgyvtbJdU4g4woN99sOGjRqzcv3ANc4UQQ326Oj+5y1IR5j+wd1r6tZY=
=Tv/F
-----END PGP SIGNATURE-----
Patrick Schleizer
Jun 23, 2015, 8:03:37 PM6/23/15
to Marek Marczykowski-Górecki, Jason M, qubes...@googlegroups.com, whonix...@whonix.org
Marek Marczykowski-Górecki:
I haven't found the pull request ( not
https://github.com/QubesOS/qubes-linux-template-builder/pulls?utf8=%E2%9C%93&q=
- where else? ).
Also no related git log entry.
Just to be sure, has this been done?
Cheers,
Patrick
https://github.com/QubesOS/qubes-linux-template-builder/pulls?utf8=%E2%9C%93&q=
- where else? ).
Also no related git log entry.
Just to be sure, has this been done?
Cheers,
Patrick
Marek Marczykowski-Górecki
Jun 23, 2015, 8:16:44 PM6/23/15
to Patrick Schleizer, Jason M, qubes...@googlegroups.com, whonix...@whonix.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hash: SHA1
looking for:
https://github.com/marmarek/qubes-builder-debian/pull/8
> Also no related git log entry.
>
> Just to be sure, has this been done?
Also you're probably interested in this one:
https://github.com/marmarek/qubes-builder-debian/pull/11
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
ogiiXWln+SBanjBXdgSJgFN7XCIJTpwK3m55dvWsj/xklVEZUn5XMlanwzSnanIB
K9nq1gtuETp+9vt0Xkjk+2z2xLukEgaETmpU7IcmxcQYl8zgnAbHeA4Ds8Ea6Rzx
H4KliEV46LEe+5+E2L+9AXrrwwKuLHe4NMb85ReEr04V8hOrj8vdHSNd0iP8N813
HmPBsWLR3EBTYdnSpx0GJphfGUmx7tKE/WLVPhAWUOvp+RVwj/ASsPwApxK8T706
1EivVVCKC2oMQA4IN1nNWI2aiMCn3SjpgBdPH5SvwM6pWR8lvHrhlh9gEBD4hfs=
=gtI+
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages