Ubuntu CD Images

/install/filesystem.squashfs should be signed

Bug #1565889 reported by Dimitri John Ledkov
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu CD Images
Fix Released
Undecided
Dimitri John Ledkov
debian-cd (Ubuntu)
Invalid
Undecided
Dimitri John Ledkov
live-installer (Ubuntu)
Fix Released
Undecided
Dimitri John Ledkov

Bug Description

Prior to xenial, /install/filesystem.squashfs would only be used from a locally booted and mounted media. In xenial, the live-installer package was extended to automatically search a mirror, download remotely and use filesystem.squashfs. Before xenial, such actions were only performed upon explicit user request and from user supplied url. Given that this is now done automatically, it is prudent to gpg sign and validate such downloads prior to them being used. Otherwise an avenue is opened for a "rogue" mirror to have a valid verbantim mirror of the apt archive, yet a modified filesystem.squashfs which unmodified verified d-i could be blindly using.

Ideally live-installer would simply use secure apt download facility of arbitrary files with gpg signature verification, but I doubt that anna currently supports that.

See original description
Tags: patch s390x
Dimitri John Ledkov (xnox)
information type: Public → Private Security
summary: - foo
+ /install/filesystem.squashfs should be signed
Dimitri John Ledkov (xnox)
description: updated
Changed in ubuntu-cdimage:
assignee: nobody → Dimitri John Ledkov (xnox)
Changed in live-installer (Ubuntu):
assignee: nobody → Dimitri John Ledkov (xnox)
Revision history for this message
Dimitri John Ledkov (xnox) wrote :
Revision history for this message
Dimitri John Ledkov (xnox) wrote :
Revision history for this message
Dimitri John Ledkov (xnox) wrote :
Changed in debian-cd (Ubuntu):
assignee: nobody → Dimitri John Ledkov (xnox)
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

I will test live-installer patch tomorrow. Will not be able to test debian-cd/ubuntu-cdimage patches, but they look reasonable. Once live-installer patch is known to be working, we can deploy the debian-cd / ubuntu-cdimage changes, and once images are signed we can upload live-installer too, and respin.

Dimitri John Ledkov (xnox)
tags: added: s390x
Revision history for this message
Steve Langasek (vorlon) wrote :

We don't use the debian-cd package for building, we use <bzr+ssh://people.canonical.com/home/cjwatson/public_html/bzr/debian-cd/ubuntu/>. This branch has been updated.

Changed in debian-cd (Ubuntu):
status: New → Invalid
Revision history for this message
Steve Langasek (vorlon) wrote :

Changes committed to ubuntu-cdimage.

Changed in ubuntu-cdimage:
status: New → Fix Released
Revision history for this message
Dimitri John Ledkov (xnox) wrote : Re: [Bug 1565889] Re: /install/filesystem.squashfs should be signed

On 18 April 2016 at 06:02, Steve Langasek <email address hidden> wrote:
> We don't use the debian-cd package for building, we use
> <bzr+ssh://people.canonical.com/home/cjwatson/public_html/bzr/debian-
> cd/ubuntu/>. This branch has been updated.
>
> ** Changed in: debian-cd (Ubuntu)
> Status: New => Invalid

Sure. The debian-cd bundle is commit on top of
~ubuntu-cdimage/debian-cd/ubuntu/ which should be the mirror of
cjwatson's branch above.

--
Regards,

Dimitri.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

I am silly, sorry about that. infinity confirmed the branch is updated \o/ yeah

Dimitri John Ledkov (xnox)
information type: Private Security → Public Security
Changed in live-installer (Ubuntu):
status: New → Fix Committed
Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package live-installer - 51ubuntu2

---------------
live-installer (51ubuntu2) xenial; urgency=medium

  * Validate signatures on components exported via a mirror, based on
    net-retriever code. LP: #1565889.

 -- Dimitri John Ledkov <email address hidden> Wed, 06 Apr 2016 21:54:15 +0100

Changed in live-installer (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.