[Pkg-libvirt-maintainers] Bug#909389: virt-inst --location security concern

Pino Toscano pino at debian.org
Mon Nov 30 08:19:36 GMT 2020 

Hi,

In data sabato 22 settembre 2018 22:51:36 CET, hai scritto:
> Package: virtinst
> Version: 1:1.4.0-5
> 
> I rediscovered a problem I found a couple of years ago, and thought I'd
> report it properly this time.
> 
> The problem is that "virt-install --location" does not verify
> checksums/signatures of what is downloaded, and is thus vulnerable to a
> network attack where someone replaces the kernel/initrd with a version
> that is malicious.  As far as I know, there is no way to tell virt-
> install what checksums to expect.
> 
> See earlier discussion here: https://www.redhat.com/archives/virt-tools
> -list/2015-April/msg00214.html
> 
> Quoting the manpage which gives http-URLs to use:
> 
>        --location OPTIONS
> ...
>            Debian
>                http://ftp.us.debian.org/debian/dists/stable/main/instal
> ler-amd64/
> 
>            Ubuntu
>                http://us.archive.ubuntu.com/ubuntu/dists/wily/main/inst
> aller-amd64/
> 
> A workaround is to replace the recommended http URLs with https URLs. 
> I checked that CA verification of the domain name works.  This gives
> some protection, but far from a GnuPG-based verification that would be
> ideal.

Upstream switched to https URLs with two commits:
- a712549b2b9b0100907878fea18442be68b8d35f [1]
- b1460ba0654c00527c8d5632d69b30c7030dc182 [2]
which are both available in virt-manager 2.0.0.

Note that even before the above fixes it was possible to pass https
URLs to the installer location.

Also, the upstream bug rh#1632132 [3] was recently closed, also for
low priorities and not much interest shown in it. I'd tend to close
this bug as well, however I'm not strongly for it.

[1] https://github.com/virt-manager/virt-manager/commit/a712549b2b9b0100907878fea18442be68b8d35f
[2] https://github.com/virt-manager/virt-manager/commit/b1460ba0654c00527c8d5632d69b30c7030dc182
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1632132

-- 
Pino Toscano
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-libvirt-maintainers/attachments/20201130/f2c7aad2/attachment.sig>

More information about the Pkg-libvirt-maintainers mailing list