Package: live-build Version: 4.0~a20-1 Tags: security Apt and debootstrap authenticate files which they download. However, sometimes lb_build downloads files directly. Run `grep wget /usr/lib/live' to find some of the places where it is done. When doing so, lb_build doesn't check if these files are original. An attacker can modify these files to affect the build process. For example, she can replace debian-installer kernel or initrd with arbitrary files (/usr/lib/live/build/binary_debian-installer).
-- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
