X-Original-To: alpine-user@lists.alpinelinux.org
Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com [209.85.208.181])
	by lists.alpinelinux.org (Postfix) with ESMTP id DEF9E5C2FF2
	for <alpine-user@lists.alpinelinux.org>; Sat, 15 Sep 2018 14:30:08 +0000 (GMT)
Received: by mail-lj1-f181.google.com with SMTP id p10-v6so9745898ljg.2
        for <alpine-user@lists.alpinelinux.org>; Sat, 15 Sep 2018 07:30:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=duniel-no.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=G53/ioOqBN9dje3EKYMXmWGvffuZpQLqmZx8+aj5Kco=;
        b=CPsB+g8ZyUsVayTPkQckb3nxzYZw+yhZudXETVVhU381ZTOpiOl/QkIlO6VHmToTxC
         Faae/PSibeYjgowWa5jNVD8OYMYAtI3vQMmBDzw2iurrkfoonejfZBjvNHmOh5dJq9SS
         bTM45faMiORsF0bdW0Xc+q4WhQB6S4yCRG0nw/YTDLfbZaImG6Bqe9JzIqwJbB2hVFjp
         VvoRaUnK4BkbS1HNs0coKn6hJ+zgRv6J4GtblB/SbPAPNdyPFe1Rj7v4CTXxQLmd/dWS
         YJO0nFMp5R3yMw8/Vi+CnjOOxWX66UiTM+JCDJMon/lE/3oi+c8p68coLZLmNRETIPVu
         Pq0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=G53/ioOqBN9dje3EKYMXmWGvffuZpQLqmZx8+aj5Kco=;
        b=Ap0TscjGhKsai+DrRvNfxwIKpunSKRSbF6iTmtYzax6ROFZs4tO3AzCOZ5UgjOGtZh
         Aj4Vth87DHCZV7YVlyUJZdQj2fPmoo2GFQ3zGsPvqwIOnL0Hffw/r2xyy7X81bKc9v1A
         ZSKe3whmpNOb3xY7NnNqxpFL2LIfrWYLjGMgCic8zJbQyKwF8MV6RgzMW8m9KoQlL+hh
         GAe+oYSCD4EdxEo/zKAQGl0fev0SR7pNesoVBal7HtYsvKZfHSwpjUbwF6TyRUBexE3I
         wfEJs+9kszV05tAhe/X8XyQst1wxYO/jKi+2KsAZrcddolHScItXtzZkCrwDp5mA+vud
         ipRQ==
X-Gm-Message-State: APzg51Dn7D4Gvzo+iBEw/1FoYlvAPrjy0FAWT5bMi50FFrbz/In1oEsE
	1qdILEP69cua0yD0YQjGtqy5typyMmCcbI0fhunq5HteHy0=
X-Google-Smtp-Source: ANB0VdY+BSW7LRA+ua4Rps+MpTYrkdxA4uTueiT40oGUXoVFD5ZC3f/aIgFj1S5zqhs9AbS/U/uDxyrFz2YcSV+Udvg=
X-Received: by 2002:a2e:4401:: with SMTP id r1-v6mr11005310lja.21.1537021807145;
 Sat, 15 Sep 2018 07:30:07 -0700 (PDT)
X-Mailinglist: alpine-user
Precedence: list
List-Id: Alpine Development <alpine-user.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-user+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-user@lists.alpinelinux.org>
List-Help: <mailto:alpine-user+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-user+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Received: by 2002:ab3:5d17:0:0:0:0:0 with HTTP; Sat, 15 Sep 2018 07:29:46
 -0700 (PDT)
In-Reply-To: <5b9d10ec.1c69fb81.2428d.cfe4SMTPIN_ADDED_BROKEN@mx.google.com>
References: <5b9d10ec.1c69fb81.2428d.cfe4SMTPIN_ADDED_BROKEN@mx.google.com>
From: Daniel Isaksen <d@duniel.no>
Date: Sat, 15 Sep 2018 16:29:46 +0200
Message-ID: <CAFWK1CB7mp=gWGaTpv3TJunGSgOKCKKVLUbc5k9dbKodJyv1kg@mail.gmail.com>
Subject: Re: [alpine-user] apk MITM bug
To: fm+alpine+user+list@phosphorusnetworks.com
Cc: alpine-user@lists.alpinelinux.org
Content-Type: multipart/alternative; boundary="000000000000d3c4270575e9c66a"

--000000000000d3c4270575e9c66a
Content-Type: text/plain; charset="UTF-8"

A CVE is pending for this.

Also see:
https://alpinelinux.org/posts/Alpine-3.8.1-released.html
https://git.alpinelinux.org/cgit/apk-tools/commit/?id=6484ed9849f03971eb48ee1fdc21a2f128247eb1

-----
Sincerely / Med vennlig hilsen,
Daniel Isaksen <d@duniel.no> (https://duniel.no)

On Sat, Sep 15, 2018 at 4:01 PM, Fabio Martins <
fm+alpine+user+list@phosphorusnetworks.com> wrote:

>
> Just read:
>
> https://www.theregister.co.uk/2018/09/15/alpine_linux_bug/
>
> ..."The vulnerability lies in the way apk unpacks archives and deals with
> suspicious code. Justicz found that if the malware could be hidden within
> the package's commit_hooks directory, it would escape the cleanup and
> could then be executed as normal."
>
> Didn't found nothing here:
>
> https://bugs.alpinelinux.org/projects/alpine/issues
>
> Am I missing something?
>
> cheers.
>
> --
> Fabio Martins
> PHOSPHORUS NETWORKS
> https://phosphorusnetworks.com/en/
>
>
>
> ---
> Unsubscribe:  alpine-user+unsubscribe@lists.alpinelinux.org
> Help:         alpine-user+help@lists.alpinelinux.org
> ---
>
>

--000000000000d3c4270575e9c66a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr">A CVE is pending for thi=
s.<div><br></div><div>Also see:</div><div><a href=3D"https://alpinelinux.or=
g/posts/Alpine-3.8.1-released.html">https://alpinelinux.org/posts/Alpine-3.=
8.1-released.html</a></div><div><div><a href=3D"https://git.alpinelinux.org=
/cgit/apk-tools/commit/?id=3D6484ed9849f03971eb48ee1fdc21a2f128247eb1">http=
s://git.alpinelinux.org/cgit/apk-tools/commit/?id=3D6484ed9849f03971eb48ee1=
fdc21a2f128247eb1</a></div></div></div></div></div><div class=3D"gmail_extr=
a"><br clear=3D"all"><div><div class=3D"gmail_signature" data-smartmail=3D"=
gmail_signature"><div dir=3D"ltr"><div>-----</div><div>Sincerely / Med venn=
lig hilsen,</div><div>Daniel Isaksen &lt;<a href=3D"mailto:d@duniel.no" tar=
get=3D"_blank">d@duniel.no</a>&gt; (<a href=3D"https://duniel.no" target=3D=
"_blank">https://duniel.no</a>)</div></div></div></div>
<br><div class=3D"gmail_quote">On Sat, Sep 15, 2018 at 4:01 PM, Fabio Marti=
ns <span dir=3D"ltr">&lt;<a href=3D"mailto:fm+alpine+user+list@phosphorusne=
tworks.com" target=3D"_blank">fm+alpine+user+list@phosphorusnetworks.com</a=
>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 =
0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Just read:<br>
<br>
<a href=3D"https://www.theregister.co.uk/2018/09/15/alpine_linux_bug/" rel=
=3D"noreferrer" target=3D"_blank">https://www.theregister.co.uk/<wbr>2018/0=
9/15/alpine_linux_bug/</a><br>
<br>
...&quot;The vulnerability lies in the way apk unpacks archives and deals w=
ith<br>
suspicious code. Justicz found that if the malware could be hidden within<b=
r>
the package&#39;s commit_hooks directory, it would escape the cleanup and<b=
r>
could then be executed as normal.&quot;<br>
<br>
Didn&#39;t found nothing here:<br>
<br>
<a href=3D"https://bugs.alpinelinux.org/projects/alpine/issues" rel=3D"nore=
ferrer" target=3D"_blank">https://bugs.alpinelinux.org/<wbr>projects/alpine=
/issues</a><br>
<br>
Am I missing something?<br>
<br>
cheers.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
-- <br>
Fabio Martins<br>
PHOSPHORUS NETWORKS<br>
<a href=3D"https://phosphorusnetworks.com/en/" rel=3D"noreferrer" target=3D=
"_blank">https://phosphorusnetworks.<wbr>com/en/</a><br>
<br>
<br>
<br>
---<br>
Unsubscribe:=C2=A0 <a href=3D"mailto:alpine-user%2Bunsubscribe@lists.alpine=
linux.org">alpine-user+unsubscribe@lists.<wbr>alpinelinux.org</a><br>
Help:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0<a href=3D"mailto:alpine-user%2Bhelp=
@lists.alpinelinux.org">alpine-user+help@lists.<wbr>alpinelinux.org</a><br>
---<br>
<br>
</font></span></blockquote></div><br></div>

--000000000000d3c4270575e9c66a--


---
Unsubscribe:  alpine-user+unsubscribe@lists.alpinelinux.org
Help:         alpine-user+help@lists.alpinelinux.org
---