On 07/29/2013 01:40 AM, Evgeny Kapun wrote: > Apt and debootstrap authenticate files which they download. However, > sometimes lb_build downloads files directly. Run `grep wget /usr/lib/live' to > find some of the places where it is done. > When doing so, lb_build doesn't check if these files are original. An > attacker can modify these files to affect the build process. For example, she > can replace debian-installer kernel or initrd with arbitrary files > (/usr/lib/live/build/binary_debian-installer).
yes, this is on the todo for quite a while. -- Address: Daniel Baumann, Donnerbuehlweg 3, CH-3012 Bern Email: daniel.baum...@progress-technologies.net Internet: http://people.progress-technologies.net/~daniel.baumann/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
