/install/filesystem.squashfs should be signed

Bug #1565889 reported by Dimitri John Ledkov on 2016-04-04
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu CD Images
Undecided
Dimitri John Ledkov
debian-cd (Ubuntu)
Undecided
Dimitri John Ledkov
live-installer (Ubuntu)
Undecided
Dimitri John Ledkov

Bug Description

Prior to xenial, /install/filesystem.squashfs would only be used from a locally booted and mounted media. In xenial, the live-installer package was extended to automatically search a mirror, download remotely and use filesystem.squashfs. Before xenial, such actions were only performed upon explicit user request and from user supplied url. Given that this is now done automatically, it is prudent to gpg sign and validate such downloads prior to them being used. Otherwise an avenue is opened for a "rogue" mirror to have a valid verbantim mirror of the apt archive, yet a modified filesystem.squashfs which unmodified verified d-i could be blindly using.

Ideally live-installer would simply use secure apt download facility of arbitrary files with gpg signature verification, but I doubt that anna currently supports that.

information type: Public → Private Security
summary: - foo
+ /install/filesystem.squashfs should be signed
description: updated
Changed in ubuntu-cdimage:
assignee: nobody → Dimitri John Ledkov (xnox)
Changed in live-installer (Ubuntu):
assignee: nobody → Dimitri John Ledkov (xnox)
Dimitri John Ledkov (xnox) wrote :
Dimitri John Ledkov (xnox) wrote :
Dimitri John Ledkov (xnox) wrote :
Changed in debian-cd (Ubuntu):
assignee: nobody → Dimitri John Ledkov (xnox)
Dimitri John Ledkov (xnox) wrote :

I will test live-installer patch tomorrow. Will not be able to test debian-cd/ubuntu-cdimage patches, but they look reasonable. Once live-installer patch is known to be working, we can deploy the debian-cd / ubuntu-cdimage changes, and once images are signed we can upload live-installer too, and respin.

tags: added: s390x
Steve Langasek (vorlon) wrote :

We don't use the debian-cd package for building, we use <bzr+ssh://people.canonical.com/home/cjwatson/public_html/bzr/debian-cd/ubuntu/>. This branch has been updated.

Changed in debian-cd (Ubuntu):
status: New → Invalid
Steve Langasek (vorlon) wrote :

Changes committed to ubuntu-cdimage.

Changed in ubuntu-cdimage:
status: New → Fix Released

On 18 April 2016 at 06:02, Steve Langasek <email address hidden> wrote:
> We don't use the debian-cd package for building, we use
> <bzr+ssh://people.canonical.com/home/cjwatson/public_html/bzr/debian-
> cd/ubuntu/>. This branch has been updated.
>
> ** Changed in: debian-cd (Ubuntu)
> Status: New => Invalid

Sure. The debian-cd bundle is commit on top of
~ubuntu-cdimage/debian-cd/ubuntu/ which should be the mirror of
cjwatson's branch above.

--
Regards,

Dimitri.

Dimitri John Ledkov (xnox) wrote :

I am silly, sorry about that. infinity confirmed the branch is updated \o/ yeah

information type: Private Security → Public Security
Changed in live-installer (Ubuntu):
status: New → Fix Committed
tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package live-installer - 51ubuntu2

---------------
live-installer (51ubuntu2) xenial; urgency=medium

  * Validate signatures on components exported via a mirror, based on
    net-retriever code. LP: #1565889.

 -- Dimitri John Ledkov <email address hidden> Wed, 06 Apr 2016 21:54:15 +0100

Changed in live-installer (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers