Patrick (adrelanos) from the Kicksecure team and myself discovered this vulnerability before realizing this bug existed. I developed a full proof-of-concept exploit for it, and informed the Debian Security Team about it. They got back to me and don't appear to have a problem with me publishing the details, so I've made my original email to the Debian Security Team public as a GitHub gist (so as to not flood the BTS with a massive comment). The PoC instructions are here: https://gist.github.com/ArrayBolt3/99d1296a6d82b5a6f2453943eaf85520
If you're using live-build, I'd highly recommend setting the various `--mirror` and `--parent-mirror` settings in your `lb config` commands explicitly, specifying HTTPS repos for each of those settings. It's not a perfect solution, but as long as no one has compromised HTTPS, it should be sufficient to plug this hole.
pgpuPCrOe5h78.pgp
Description: OpenPGP digital signature
