On 01/22/2019 08:49 PM, unman wrote:
On Tue, Jan 22, 2019 at 12:57:37PM -0500, Chris Laprise wrote:
On 01/22/2019 12:03 PM, Marek Marczykowski-Górecki wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, Jan 22, 2019 at 08:03:01AM -0800, Brendan Hoar wrote:
https://justi.cz/security/2019/01/22/apt-rce.html
A patch is out to cover this vulnerability, but I'm of the opinion that it may
be best to move the qubes-update-proxy worker VMs to a disposable VM model
after reading up on this one.
Granted, at first glance it appears that the use of the qubes-update-proxy
certainly helps, but using disposable VMs might provide an extra layer of
protection.
Updates proxy unfortunately does not help with this issue, but also is
not affected by it (at least not directly). It is only a http proxy, which
does not interpret content it receive, only pass it down to the VM that
requested it. Specifically, if remote server would send malicious
Location: header, it will be forwarded back to apt. While in theory that
proxy could perform some extra filtering on the response, it isn't used
for that right now. I don't think tinyproxy supports anything like this
(but we could change it to a different http proxy implementation).
The proxy appears to be 'affected' in the sense that Debian's temporary
update instructions from their security bulletin do not work in the Qubes
template.
So we are missing a straightforward resolution that Qubes users can follow.
Can you explain this? As far as I can see, the temporary update
instruction *do* work in a template.
What makes you think they don't?
With normal update proxy settings (no cache), this happens:
user@d9:~$ sudo apt -o Acquire::http::AllowRedirect=false update
Ign:1 http://security.debian.org stretch/updates InRelease
Hit:2 http://deb.qubes-os.org/r4.0/vm stretch InRelease
Ign:3 http://deb.debian.org/debian stretch InRelease
Err:4 http://deb.debian.org/debian stretch Release
302 Found
Err:5 http://security.debian.org stretch/updates Release
302 Found
Reading package lists... Done
E: The repository 'http://deb.debian.org/debian stretch Release' does no longer
have a Release file.
N: Updating from such a repository can't be done securely, and is therefore
disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration
details.
E: The repository 'http://security.debian.org stretch/updates Release' does no
longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore
disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration
details.
Did I miss something?
At this moment, I could try to gpg verify the DSA bulletin, then use the
hash from the bulletin to verify a manually-downloaded apt deb before
installing it.
Or, since I have Whonix installed, maybe look at the docs for enabling
.onion updates.
I use apt-cacher-ng with the templates configured with http://HTTPS///
scheme, which allows for caching *and* HTTPS to repos.
I'm checking to see how apt-cacher-ng is affected, but wont be able to
finish until this evening.
This sounds like a good setup; I'll await feedback from you and rusty
about your vuln review. However, I'm not sure how many other users will
want to setup a cache. And if it requires installing any packages, then
that leaves me in a catch-22.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/92ca5d5a-7ff8-9113-4f05-bb4d56831ba1%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
