live-build causes installation old /sbin/initctl and start-stop-daemon to be installed in Cloud Images
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
live-build (Debian) |
Fix Released
|
Unknown
|
|||
live-build (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Adam Conrad | ||
Vivid |
Fix Released
|
Undecided
|
Adam Conrad |
Bug Description
[ SRU Info ]
See bug #1363519
[ Original Report ]
I've encountered at least five different Amazon AMIs which all fail debsums right out of the box. The offending binaries are upstart: /sbin/initctl and dpkg: /sbin/start-
us-east-1: ami-3fec7956, ami-de0d9eb7
us-west-1: ami-b81230fd
us-west-2: ami-da1810ae
ap-northeast-1: ami-77cf4976
I analyzed only initctl, as it was the first to trip my alarms. In the following examples, the left side is the one from the upstart package version dpkg claims to have installed, the right is the one actually on the system.
* A side-by-side hex/ascii of the diff : http://
* The same, with some color: http://
* A side-by-side comparison of objdump --disassemble-all: http://
* The same, with some color: http://
The file size is the same, but clearly it is not the one from the package. objdump interpreted this delta as having a mov instruction, then executing a conditional jump. This "looks" scary, but I'm no expert. This may be only a side-effect of trying to disassemble code.
This is either malicious, or a totally benign mistake, but in either case, Canonical should not be distributing AMIs which cannot pass rudimentary integrity checks.
To reproduce, simply start an AWS instance with one of these AMIs, install debsums, and run something like:
for PKG in `dpkg --get-selections | awk '{print $1}'`; do echo ${PKG}: >> failsums; debsums $PKG | grep FAILED >> failsums; done
affects: | ubuntu → live-build (Ubuntu) |
Changed in live-build (Debian): | |
status: | Unknown → Fix Committed |
Changed in live-build (Debian): | |
status: | Fix Committed → Fix Released |
description: | updated |
Changed in live-build (Ubuntu Trusty): | |
assignee: | nobody → Adam Conrad (adconrad) |
Changed in live-build (Ubuntu Vivid): | |
assignee: | nobody → Adam Conrad (adconrad) |
/sbin/initctl (md5 a08543b3a5d7f22 21358f9f160c3b0 9f) which is not the same as in upstart 1.5-0ubuntu7.2 (md5 bae534f4f29d22f 3fda948e8a81577 45): http:// user.xmission. com/~kevin/ initctl
/sbin/start- stop-daemon (md5 668f331a1ee2a34 b049bcca5c55163 22) not matching dpkg 1.16.1.2ubuntu7.1 (md5 733bf57a6e070bb 6541d7e688b3c85 d1): http:// user.xmission. com/~kevin/ start-stop- daemon