Mail archive
alpine-user

Re: [alpine-user] apk MITM bug

From: Daniel Isaksen <d_at_duniel.no>
Date: Sat, 15 Sep 2018 16:29:46 +0200

A CVE is pending for this.

Also see:
https://alpinelinux.org/posts/Alpine-3.8.1-released.html
https://git.alpinelinux.org/cgit/apk-tools/commit/?id=6484ed9849f03971eb48ee1fdc21a2f128247eb1

-----
Sincerely / Med vennlig hilsen,
Daniel Isaksen <d_at_duniel.no> (https://duniel.no)

On Sat, Sep 15, 2018 at 4:01 PM, Fabio Martins <
fm+alpine+user+list_at_phosphorusnetworks.com> wrote:

>
> Just read:
>
> https://www.theregister.co.uk/2018/09/15/alpine_linux_bug/
>
> ..."The vulnerability lies in the way apk unpacks archives and deals with
> suspicious code. Justicz found that if the malware could be hidden within
> the package's commit_hooks directory, it would escape the cleanup and
> could then be executed as normal."
>
> Didn't found nothing here:
>
> https://bugs.alpinelinux.org/projects/alpine/issues
>
> Am I missing something?
>
> cheers.
>
> --
> Fabio Martins
> PHOSPHORUS NETWORKS
> https://phosphorusnetworks.com/en/
>
>
>
> ---
> Unsubscribe: alpine-user+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-user+help_at_lists.alpinelinux.org
> ---
>
>



---
Unsubscribe:  alpine-user+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-user+help_at_lists.alpinelinux.org
---
Received on Sat Sep 15 2018 - 16:29:46 GMT