[Pkg-libvirt-maintainers] Bug#909389: virt-inst --location security concern

Simon Josefsson simon at josefsson.org
Sat Sep 22 21:51:36 BST 2018


Package: virtinst
Version: 1:1.4.0-5

I rediscovered a problem I found a couple of years ago, and thought I'd
report it properly this time.

The problem is that "virt-install --location" does not verify
checksums/signatures of what is downloaded, and is thus vulnerable to a
network attack where someone replaces the kernel/initrd with a version
that is malicious.  As far as I know, there is no way to tell virt-
install what checksums to expect.

See earlier discussion here: https://www.redhat.com/archives/virt-tools
-list/2015-April/msg00214.html

Quoting the manpage which gives http-URLs to use:

       --location OPTIONS
...
           Debian
               http://ftp.us.debian.org/debian/dists/stable/main/instal
ler-amd64/

           Ubuntu
               http://us.archive.ubuntu.com/ubuntu/dists/wily/main/inst
aller-amd64/

A workaround is to replace the recommended http URLs with https URLs. 
I checked that CA verification of the domain name works.  This gives
some protection, but far from a GnuPG-based verification that would be
ideal.

Run this command to see what is happening:

virt-install --name foo --memory 500 --disk none --location http://deb.
debian.org/debian/dists/stable/main/installer-amd64/ --noautoconsole --
debug

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20180922/03e7297f/attachment.sig>


More information about the Pkg-libvirt-maintainers mailing list