also, in Debian if someone add package with 'rm -rf /' in post-install you are doomed --000000000000997ae70580aed7fb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Here is the IRC log:=C2=A0

Thx!

15:16] =3D=3D EuroDomenii [bc1b071d@gateway/= web/freenode/ip.188.27.7.29] has joined #alpine-linux

[15:16] Cha= nnel names begin with # (corrected automatically).

[15:18] =3D=3D= mort___ [~Adium@2001:630:212:2ab:9c9:975:ed0f:babe] has joined #alpine-lin= ux

[15:18] =3D=3D mort___ [~Adium@2001:630:212:2ab:9c9:975:ed0f:b= abe] has quit [Client Quit]

[15:20] =3D=3D nepochal [~nepochal@un= affiliated/nepochal] has quit [Quit: WeeChat 1.6]

[15:21] =3D=3D = nepochal [~nepochal@unaffiliated/nepochal] has joined #alpine-linux

[15:22] =3D=3D tomato [~Tomato@unaffiliated/tomato] has joined #alpine-l= inux

[15:24] <EuroDomenii> Is there an equivalent of the ap= t vulnerability https://security-tracker.debian.org/tracker/CVE-2019-3462 fo= r apk ?

[15:24] =3D=3D ids1024 [~ids1024@unaffiliated/ids1024] ha= s quit [Ping timeout: 252 seconds]

[15:25] <EuroDomenii> In= the past, Max Justicz has found https://justi.cz/security/2018/09/13/alpine-apk-= rce.html

[15:26] <AinNero> that issue was unrelated to = redirects

[15:26] =3D=3D alpha_Aquilae [~ircII@233.194.196.77.rev.sfr.net] has quit = [Ping timeout: 246 seconds]

[15:26] <mps> EuroDomenii: this= issue is was a little overhyped by author, imo

[15:26] <AinNe= ro> like apk and apt are different programs, with different approaches

[15:27] <AinNero> mps: Security Issues are always overhyped<= /div>

[15:27] <mps> AinNero: right :)

[15:27] <AinNe= ro> except in this case, it didn't even get an own domain

= [15:27] <AinNero> with fancy website

[15:28] <AinNero>= ; if you know my blog, i have a rant up about reputation whoring in the ITs= ec industry

[15:28] =3D=3D tomato [~Tomato@unaffiliated/tomato] h= as quit [Ping timeout: 252 seconds]

[15:28] <EuroDomenii> t= hanks for reply

[15:28] =3D=3D tomato [~Tomato@unaffiliated/tomat= o] has joined #alpine-linux

[15:28] <mps> I looked it earli= er but forgot exact url

[15:29] <EuroDomenii> So, the apk p= ackages are sanitizing correctly the redirects?

[15:29] <@clan= dmeter> EuroDomenii: i dont know if we are vulnerable. The persons who c= ould know are not online atm.

[15:30] <mps> EuroDomenii: it= is hard to inject package which is not passed official check on Alpine

[15:30] <AinNero> EuroDomenii: apk does not use hashsums from = repository server like debian does

[15:30] <mps> that one c= ould be used only if you install package from untrusted repo

[15:= 31] <@clandmeter> EuroDomenii: the best way would be to verify it you= rself and let us know.

[15:31] <mps> but, if you install pa= ckage from untrusted repo it is always risky

[15:32] <EuroDome= nii> Thanks for the tips. I'm quite new to alpine. Anyway, it's = may worth the vulnerability mechanism in debian, to check if it applies to = alpine

[15:32] <@clandmeter> EuroDomenii: some insight on t= hat sec issue you mentioned https://git.alpine= linux.org/apk-tools/commit/?id=3D6484ed9849f03971eb48ee1fdc21a2f128247eb1

[15:33] <mps> also, in Debian if someone add package wit= h 'rm -rf /' in post-install you are doomed

--000000000000997ae70580aed7fb-- --- Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org Help: alpine-user+help@lists.alpinelinux.org ---