apt-get downgraded to vulnerable version 1.0.9.8.4 in whonix

[whrabbit1]

Qubes OS version:

Qubes Release 4.0

Affected component(s):

apt-get package in whonix-ws and whonix-gw templates

---

Steps to reproduce the behavior:

In the template:
apt-get remove firefox-esr
[a huge list of packages shows that is going to be removed as well]
Hit yes
apt-get update
apt-get dist-upgrade

Expected behavior:

firefox-esr removed and packages updated

Actual behavior:

firefox-esr removed and apt-get package downgraded to version 1.0.9.8.4, which was released in 2016 with CVE-2016-1252.

General notes:

I only noticed the downgrade after a week when /usr/lib/apt/methods/http starts using 100% of cpu both whonix APPVMs. behavior of a miner.

Could anyone explain why an old vulnerable version replaced current one. is it possible for an exit node to downgrade apt? I believe I was using http repos.

---

Related issues:

[fosslinux]

An exit node can intercept your connection. To me this looks like a compromise. Backup the potentially compromised VMS, delete the template vm and all based on it, and recreate. The Qubes wiki can help with this. If you can still repro, then it is unlikely that it was a compromise. I can't test at the moment, I don't use whonix. HTH

[fosslinux]

An exit node can intercept your connection. To me this looks like a compromise. Backup the potentially compromised VMS, delete the template vm and all based on it, and recreate. The Qubes wiki can help with this. If you can still repro, then it is unlikely that it was a compromise. I can't test at the moment, I don't use whonix. HTH

[whrabbit1]

That's what I thought, but after reinstalling whonix templates, the issue persisted. I also learned thay whonix still uses debian jessie thay comes with that apt version. No downgrade was performed. The weird thing here is deletion of firefox-esr causes the removal of a ton of other packages. On Jul 7, 2018 9:09 AM, sstt011 <notifications@github.com> wrote: An exit node can intercept your connection. To me this looks like a compromise. Backup the potentially compromised VMS, delete the template vm and all based on it, and recreate. The Qubes wiki can help with this. If you can still repro, then it is unlikely that it was a compromise. I can't test at the moment, I don't use whonix. HTH — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#4055 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVdKMgbw0wjsUQRsWjig1Nwnu8p8RvJMks5uEGzXgaJpZM4VDsMb>.

[whrabbit1]

That's what I thought, but after reinstalling whonix templates, the issue persisted. I also learned thay whonix still uses debian jessie thay comes with that apt version. No downgrade was performed. The weird thing here is deletion of firefox-esr causes the removal of a ton of other packages. On Jul 7, 2018 9:09 AM, sstt011 <notifications@github.com> wrote: An exit node can intercept your connection. To me this looks like a compromise. Backup the potentially compromised VMS, delete the template vm and all based on it, and recreate. The Qubes wiki can help with this. If you can still repro, then it is unlikely that it was a compromise. I can't test at the moment, I don't use whonix. HTH — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<#4055 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVdKMgbw0wjsUQRsWjig1Nwnu8p8RvJMks5uEGzXgaJpZM4VDsMb>.

[fosslinux]

@whrabbit1 can you post the list of packages? What was the original version of apt?

Also version 1.0.9.8.4 isn't vulnerable, only the versions before:

The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.

(emphasis mine)
see https://www.cvedetails.com/cve/CVE-2016-1252/.

[fosslinux]

@whrabbit1 can you post the list of packages? What was the original version of apt?

Also version 1.0.9.8.4 isn't vulnerable, only the versions before:

The apt package in Debian jessie before 1.0.9.8.4, in Debian unstable before 1.4~beta2, in Ubuntu 14.04 LTS before 1.0.1ubuntu2.17, in Ubuntu 16.04 LTS before 1.2.15ubuntu0.2, and in Ubuntu 16.10 before 1.3.2ubuntu0.1 allows man-in-the-middle attackers to bypass a repository-signing protection mechanism by leveraging improper error handling when validating InRelease file signatures.

(emphasis mine)
see https://www.cvedetails.com/cve/CVE-2016-1252/.

[whrabbit1]

Unfortunately no, I reinstalled whonix. Anyways the issue resurfaced on the new fresh one after issuing apt update command. On Jul 7, 2018 10:36 PM, sstt011 <notifications@github.com> wrote: @whrabbit1<https://github.com/whrabbit1> can you post the list of packages? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#4055 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVdKMuWspGM4OjaaZ0V_d6mDVKjc7qLZks5uESnfgaJpZM4VDsMb>.

[whrabbit1]

Unfortunately no, I reinstalled whonix. Anyways the issue resurfaced on the new fresh one after issuing apt update command. On Jul 7, 2018 10:36 PM, sstt011 <notifications@github.com> wrote: @whrabbit1<https://github.com/whrabbit1> can you post the list of packages? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#4055 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVdKMuWspGM4OjaaZ0V_d6mDVKjc7qLZks5uESnfgaJpZM4VDsMb>.

[adrelanos]

The weird thing here is deletion of firefox-esr causes the removal of a ton of other packages.

See:
https://www.whonix.org/wiki/Whonix_Debian_Packages

Btw firefox is not dependency in Whonix 14 anymore.

https://forums.whonix.org/t/whonix-14-release-blockers-status-of-whonix-14-development

I think this issue can be closed.

[adrelanos]

The weird thing here is deletion of firefox-esr causes the removal of a ton of other packages.

See:
https://www.whonix.org/wiki/Whonix_Debian_Packages

Btw firefox is not dependency in Whonix 14 anymore.

https://forums.whonix.org/t/whonix-14-release-blockers-status-of-whonix-14-development

I think this issue can be closed.

[whrabbit1]

I didn't know that firefox is a dependency of all those packages. I already mentioned that I didn't remove firefox from the freshly reinstalled whonix and the issue persisted. Sometimes it goes off even if i don't issue an update, 100% cpu usage even if i'm offline (so unlikely a miner). When I want to update though, often the update blocks and the 'http' process taking all the cpu bandwidth. rkhunter warns me that xl of xen-utils-common package may be using suspecious files, so I checked the hash against that of qubes repo, but it matched. Anyways I installed the latest version of this package from qubes security testing repo to see if that fixes anything. Next time i cath it running, i gdb in it to see what's blocking it. On Jul 13, 2018 10:40, Patrick Schleizer <notifications@github.com> wrote: The weird thing here is deletion of firefox-esr causes the removal of a ton of other packages. See: https://www.whonix.org/wiki/Whonix_Debian_Packages Btw firefox is not dependency in Whonix 14 anymore. https://forums.whonix.org/t/whonix-14-release-blockers-status-of-whonix-14-development I think this issue can be closed. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#4055 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVdKMp1Oj9Ux0_-GZPb6jQvWSpTLkDgMks5uGGr9gaJpZM4VDsMb>.

[whrabbit1]

I didn't know that firefox is a dependency of all those packages. I already mentioned that I didn't remove firefox from the freshly reinstalled whonix and the issue persisted. Sometimes it goes off even if i don't issue an update, 100% cpu usage even if i'm offline (so unlikely a miner). When I want to update though, often the update blocks and the 'http' process taking all the cpu bandwidth. rkhunter warns me that xl of xen-utils-common package may be using suspecious files, so I checked the hash against that of qubes repo, but it matched. Anyways I installed the latest version of this package from qubes security testing repo to see if that fixes anything. Next time i cath it running, i gdb in it to see what's blocking it. On Jul 13, 2018 10:40, Patrick Schleizer <notifications@github.com> wrote: The weird thing here is deletion of firefox-esr causes the removal of a ton of other packages. See: https://www.whonix.org/wiki/Whonix_Debian_Packages Btw firefox is not dependency in Whonix 14 anymore. https://forums.whonix.org/t/whonix-14-release-blockers-status-of-whonix-14-development I think this issue can be closed. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#4055 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVdKMp1Oj9Ux0_-GZPb6jQvWSpTLkDgMks5uGGr9gaJpZM4VDsMb>.

[adrelanos]

Using suspend / resume? https://forums.whonix.org/t/reopened-sclockadj-stuck-at-100-cpu Anyhow, if it's above it would be gone in Whonix 14.

[adrelanos]

Using suspend / resume? https://forums.whonix.org/t/reopened-sclockadj-stuck-at-100-cpu Anyhow, if it's above it would be gone in Whonix 14.

[whrabbit1]

I believe when I close my laptop it suspends qubes os, but I only recently had this issue. The symptoms shared by the user in the link are the same as mine, except for the process that hangs at 100% cpu (/usr/lib/apt/methods/http in my case). On Jul 13, 2018 3:04 PM, Patrick Schleizer <notifications@github.com> wrote: Using suspend / resume? https://forums.whonix.org/t/reopened-sclockadj-stuck-at-100-cpu Anyhow, if it's above it would be gone in Whonix 14. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#4055 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVdKMogYITFk7PveZ0Ip7OfAkUlGQMMnks5uGKj_gaJpZM4VDsMb>.

[whrabbit1]

I believe when I close my laptop it suspends qubes os, but I only recently had this issue. The symptoms shared by the user in the link are the same as mine, except for the process that hangs at 100% cpu (/usr/lib/apt/methods/http in my case). On Jul 13, 2018 3:04 PM, Patrick Schleizer <notifications@github.com> wrote: Using suspend / resume? https://forums.whonix.org/t/reopened-sclockadj-stuck-at-100-cpu Anyhow, if it's above it would be gone in Whonix 14. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#4055 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AVdKMogYITFk7PveZ0Ip7OfAkUlGQMMnks5uGKj_gaJpZM4VDsMb>.

[andrewdavidwong]

FWIW, I also have apt-get 1.0.9.8.4 in a vanilla whonix-gw template on 3.2 (have not manually installed or uninstalled anything; just updated).

[andrewdavidwong]

FWIW, I also have apt-get 1.0.9.8.4 in a vanilla whonix-gw template on 3.2 (have not manually installed or uninstalled anything; just updated).