Mail archive
alpine-user

[alpine-user] Vulnerability mechanism of debian apt https://security-tracker.debian.org/tracker/CVE-2019-3462 applies to apk ?

From: Euro Domenii <eurodomenii_at_gmail.com>
Date: Wed, 30 Jan 2019 17:47:58 +0200

Here is the IRC log:
Thx!

15:16] == EuroDomenii [bc1b071d_at_gateway/web/freenode/ip.188.27.7.29] has
joined #alpine-linux
[15:16] Channel names begin with # (corrected automatically).
[15:18] == mort___ [~Adium_at_2001:630:212:2ab:9c9:975:ed0f:babe] has joined
#alpine-linux
[15:18] == mort___ [~Adium_at_2001:630:212:2ab:9c9:975:ed0f:babe] has quit
[Client Quit]
[15:20] == nepochal [~nepochal_at_unaffiliated/nepochal] has quit [Quit:
WeeChat 1.6]
[15:21] == nepochal [~nepochal_at_unaffiliated/nepochal] has joined
#alpine-linux
[15:22] == tomato [~Tomato_at_unaffiliated/tomato] has joined #alpine-linux
[15:24] <EuroDomenii> Is there an equivalent of the apt vulnerability
https://security-tracker.debian.org/tracker/CVE-2019-3462 for apk ?
[15:24] == ids1024 [~ids1024_at_unaffiliated/ids1024] has quit [Ping timeout:
252 seconds]
[15:25] <EuroDomenii> In the past, Max Justicz has found
https://justi.cz/security/2018/09/13/alpine-apk-rce.html
[15:26] <AinNero> that issue was unrelated to redirects
[15:26] == alpha_Aquilae [~ircII_at_233.194.196.77.rev.sfr.net] has quit [Ping
timeout: 246 seconds]
[15:26] <mps> EuroDomenii: this issue is was a little overhyped by author,
imo
[15:26] <AinNero> like apk and apt are different programs, with different
approaches
[15:27] <AinNero> mps: Security Issues are always overhyped
[15:27] <mps> AinNero: right :)
[15:27] <AinNero> except in this case, it didn't even get an own domain
[15:27] <AinNero> with fancy website
[15:28] <AinNero> if you know my blog, i have a rant up about reputation
whoring in the ITsec industry
[15:28] == tomato [~Tomato_at_unaffiliated/tomato] has quit [Ping timeout: 252
seconds]
[15:28] <EuroDomenii> thanks for reply
[15:28] == tomato [~Tomato_at_unaffiliated/tomato] has joined #alpine-linux
[15:28] <mps> I looked it earlier but forgot exact url
[15:29] <EuroDomenii> So, the apk packages are sanitizing correctly the
redirects?
[15:29] <_at_clandmeter> EuroDomenii: i dont know if we are vulnerable. The
persons who could know are not online atm.
[15:30] <mps> EuroDomenii: it is hard to inject package which is not passed
official check on Alpine
[15:30] <AinNero> EuroDomenii: apk does not use hashsums from repository
server like debian does
[15:30] <mps> that one could be used only if you install package from
untrusted repo
[15:31] <_at_clandmeter> EuroDomenii: the best way would be to verify it
yourself and let us know.
[15:31] <mps> but, if you install package from untrusted repo it is always
risky
[15:32] <EuroDomenii> Thanks for the tips. I'm quite new to alpine. Anyway,
it's may worth the vulnerability mechanism in debian, to check if it
applies to alpine
[15:32] <_at_clandmeter> EuroDomenii: some insight on that sec issue you
mentioned
https://git.alpinelinux.org/apk-tools/commit/?id=6484ed9849f03971eb48ee1fdc21a2f128247eb1
[15:33] <mps> also, in Debian if someone add package with 'rm -rf /' in
post-install you are doomed



---
Unsubscribe:  alpine-user+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-user+help_at_lists.alpinelinux.org
---
Received on Wed Jan 30 2019 - 17:47:58 UTC