Mail archive

[alpine-user] Vulnerability mechanism of debian apt applies to apk ?

From: Euro Domenii <>
Date: Wed, 30 Jan 2019 17:47:58 +0200

Here is the IRC log:

15:16] == EuroDomenii [bc1b071d_at_gateway/web/freenode/ip.] has
joined #alpine-linux
[15:16] Channel names begin with # (corrected automatically).
[15:18] == mort___ [~Adium_at_2001:630:212:2ab:9c9:975:ed0f:babe] has joined
[15:18] == mort___ [~Adium_at_2001:630:212:2ab:9c9:975:ed0f:babe] has quit
[Client Quit]
[15:20] == nepochal [~nepochal_at_unaffiliated/nepochal] has quit [Quit:
WeeChat 1.6]
[15:21] == nepochal [~nepochal_at_unaffiliated/nepochal] has joined
[15:22] == tomato [~Tomato_at_unaffiliated/tomato] has joined #alpine-linux
[15:24] <EuroDomenii> Is there an equivalent of the apt vulnerability for apk ?
[15:24] == ids1024 [~ids1024_at_unaffiliated/ids1024] has quit [Ping timeout:
252 seconds]
[15:25] <EuroDomenii> In the past, Max Justicz has found
[15:26] <AinNero> that issue was unrelated to redirects
[15:26] == alpha_Aquilae [] has quit [Ping
timeout: 246 seconds]
[15:26] <mps> EuroDomenii: this issue is was a little overhyped by author,
[15:26] <AinNero> like apk and apt are different programs, with different
[15:27] <AinNero> mps: Security Issues are always overhyped
[15:27] <mps> AinNero: right :)
[15:27] <AinNero> except in this case, it didn't even get an own domain
[15:27] <AinNero> with fancy website
[15:28] <AinNero> if you know my blog, i have a rant up about reputation
whoring in the ITsec industry
[15:28] == tomato [~Tomato_at_unaffiliated/tomato] has quit [Ping timeout: 252
[15:28] <EuroDomenii> thanks for reply
[15:28] == tomato [~Tomato_at_unaffiliated/tomato] has joined #alpine-linux
[15:28] <mps> I looked it earlier but forgot exact url
[15:29] <EuroDomenii> So, the apk packages are sanitizing correctly the
[15:29] <_at_clandmeter> EuroDomenii: i dont know if we are vulnerable. The
persons who could know are not online atm.
[15:30] <mps> EuroDomenii: it is hard to inject package which is not passed
official check on Alpine
[15:30] <AinNero> EuroDomenii: apk does not use hashsums from repository
server like debian does
[15:30] <mps> that one could be used only if you install package from
untrusted repo
[15:31] <_at_clandmeter> EuroDomenii: the best way would be to verify it
yourself and let us know.
[15:31] <mps> but, if you install package from untrusted repo it is always
[15:32] <EuroDomenii> Thanks for the tips. I'm quite new to alpine. Anyway,
it's may worth the vulnerability mechanism in debian, to check if it
applies to alpine
[15:32] <_at_clandmeter> EuroDomenii: some insight on that sec issue you
[15:33] <mps> also, in Debian if someone add package with 'rm -rf /' in
post-install you are doomed

Received on Wed Jan 30 2019 - 17:47:58 UTC