Check for CVE-2016-1252

Debootstrap used for initial phase of template build use only base repository. This means that it will install old, still vulnerable apt package. To mitigate the risk of template build process being exploited, add additional verification of downloaded repository metadata, just after downloading it, but before installing any package based on it. QubesOS/qubes-issues#2520
marmarek · Dec 17, 2016 · d755d2d · d755d2d
1 parent 719de70
commit d755d2d
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 2 deletions.
diff --git a/Makefile.debian b/Makefile.debian
@@ -170,6 +170,10 @@ dist-build-dep:
 	$(DEBIAN_PLUGIN_DIR)/update-local-repo.sh $(DIST)
 	sudo chroot $(CHROOT_DIR) apt-get ${APT_GET_OPTIONS} update
 
+	# check for CVE-2016-1252 - directly after debootstrap, still vulnerable
+	# apt is installed
+	wc -L "$(CHROOT_DIR)/var/lib/apt/lists/"*InRelease | awk '$$1 > 1024 {print; exit 1}'
+
 	# Parse debian/control for Build-Depends and install
 	$(DEBIAN_PARSER) control --build-depends $(CHROOT_DEBIAN_DIR)/control |\
 		xargs sudo chroot $(CHROOT_DIR) apt-get $(APT_GET_OPTIONS) install -y

diff --git a/prepare-chroot-debian b/prepare-chroot-debian
@@ -95,6 +95,9 @@ else
 
     # update chroot
     chroot $DIR apt-get $APT_GET_OPTIONS update
+    # check for CVE-2016-1252 - directly after debootstrap, still vulnerable
+    # apt is installed
+    wc -L "${DIR}/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'
     if [ -n "$eatmydata_maybe" -a ! -f "$DIR/usr/lib/libeatmydata/libeatmydata.so" ]; then
         chroot $DIR apt-get $APT_GET_OPTIONS -y install eatmydata
     fi
@@ -121,6 +124,7 @@ if [ "$DIST" == "wheezy" ]; then
         touch "${DIR}/etc/apt/sources.list"
         echo "$source" >> "${DIR}/etc/apt/sources.list"
     fi
+    # wheezy is not affected by CVE-2016-1252
     chroot $DIR apt-get $APT_GET_OPTIONS update
     chroot $DIR $eatmydata_maybe apt-get $APT_GET_OPTIONS -t wheezy-backports install -y dh-systemd config-package-dev
 fi
@@ -154,6 +158,9 @@ fi
 # Refresh package list (but not qubes repo since it does not yet exist)
 # ------------------------------------------------------------------------------
 chroot $DIR apt-get $APT_GET_OPTIONS update
+# check for CVE-2016-1252 - directly after debootstrap, still vulnerable
+# apt is installed
+wc -L "${DIR}/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'
 
 # ------------------------------------------------------------------------------
 # Update debian apt sources list to use local qubes repo

diff --git a/prepare-chroot-qubuntu b/prepare-chroot-qubuntu
@@ -85,6 +85,9 @@ else
 
     # update chroot
     chroot $DIR apt-get $APT_GET_OPTIONS update
+    # check for CVE-2016-1252 - directly after debootstrap, still vulnerable
+    # apt is installed
+    wc -L "${DIR}/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'
     chroot $DIR $eatmydata_maybe apt-get $APT_GET_OPTIONS -y upgrade
 fi
 
@@ -100,6 +103,9 @@ fi
 # ------------------------------------------------------------------------------
 sed -i "s/${DIST} main$/${DIST} main universe/g" $DIR/etc/apt/sources.list
 chroot $DIR apt-get $APT_GET_OPTIONS update
+# check for CVE-2016-1252 - directly after debootstrap, still vulnerable
+# apt is installed
+wc -L "${DIR}/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'
 
 # ------------------------------------------------------------------------------
 # Install all build packages specified
@@ -111,6 +117,9 @@ if [ $DIST != 'xenial' ]; then
 chroot $DIR apt-get $APT_GET_OPTIONS install -y software-properties-common
 chroot $DIR add-apt-repository -y ppa:ubuntu-audio-dev/pulse-testing
 chroot $DIR apt-get $APT_GET_OPTIONS update
+# check for CVE-2016-1252 - directly after debootstrap, still vulnerable
+# apt is installed
+wc -L "${DIR}/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'
 chroot $DIR apt-get $APT_GET_OPTIONS install -y libpulse-dev
 fi
 

diff --git a/template_debian/distribution.sh b/template_debian/distribution.sh
@@ -162,6 +162,9 @@ function aptUpdate() {
     debug "Updating system"
     DEBIAN_FRONTEND="noninteractive" DEBIAN_PRIORITY="critical" DEBCONF_NOWARNINGS="yes" \
         chroot_cmd apt-get ${APT_GET_OPTIONS} update
+    # check for CVE-2016-1252 - directly after debootstrap, still vulnerable
+    # apt is installed
+    wc -L "${INSTALLDIR}/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'
 }
 
 # ==============================================================================
@@ -228,7 +231,7 @@ function installPackages() {
 # ==============================================================================
 function installSystemd() {
     buildStep "$0" "pre-systemd"
-    chroot_cmd apt-get ${APT_GET_OPTIONS} update
+    aptUpdate
 
     aptInstall systemd
     createDbusUuid
@@ -294,7 +297,7 @@ function updateQubuntuSourceList() {
         touch "${INSTALLDIR}/etc/apt/sources.list"
         echo "$source" >> "${INSTALLDIR}/etc/apt/sources.list"
     fi
-    chroot_cmd apt-get ${APT_GET_OPTIONS} update
+    aptUpdate
 }
 
 # ==============================================================================