Bug #16386

CVE-2019-3462: Content injection in APT http method when using redirects

Added by lamby 2019-01-24 09:33:48 . Updated 2019-01-30 11:50:45 .

Status:
Resolved
Priority:
Elevated
Assignee:
Category:
Target version:
Start date:
2019-01-24
Due date:
% Done:

100%

Feature Branch:
lamby/bugfix/16386-force-basebox-regeneration
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

re. https://security-tracker.debian.org/tracker/CVE-2019-3462: Content injection in APT http method when using redirects:

<     lamby> Do we need to do anything re. CVE-2019-3462?
[…]
< intrigeri> lamby: glad you're asking wrt. the APT vuln. I think there are 3 aspects:
< intrigeri> 1. Tails runtime: we're as good as we can be: we're only using Onion services in APT sources
< intrigeri> 2. build system: there's probably a time in the process where current basebox uses an outdated APT. could make sense to force a basebox refresh so debootstrap picks the right version straight from Stretch 9.7, without depending on a follow-up upgrade to fix it.
< intrigeri> 3. infra: groente is on it and bertagaz is on duty, I'll let them handle it :)
< intrigeri> => action item for (2): confirm we have a problem (looks like it, a build from yesterday started with 1.4.8 and then upgraded to 1.4.9); then file a ticket + prepare a PR that forces a basebox build from scratch. a dummy commit under vagrant/ would do. surely there's a typo to fix or a comment to add :)
< intrigeri> lamby: makes sense? do you want to take it
<     lamby> intrigeri: sure

Files


Subtasks


Related issues

Blocks Tails - Feature #15507: Core work 2019Q1: Foundations Team Resolved 2018-04-08

History

#1 Updated by lamby 2019-01-24 09:34:13

  • Status changed from New to In Progress

#2 Updated by intrigeri 2019-01-24 09:36:53

#3 Updated by intrigeri 2019-01-24 09:37:04

  • Target version set to Tails_3.12

#4 Updated by lamby 2019-01-24 09:47:32

Attaching here as I can’t seem to push right now and I need to step away from the computer for a bit.

From 09302df1790b87c99862a5ecf68de7e7fdeeba9f Mon Sep 17 00:00:00 2001
From: Chris Lamb <chris@chris-lamb.co.uk>
Date: Thu, 24 Jan 2019 10:40:56 +0100
Subject: [PATCH] Dummy commit to force regeneration of basebox for
 CVE-2019-3462 in apt. (Closes: <del><a class='issue tracker-1 status-3 priority-5 priority-default closed child' href='/code/issues/16386' title='CVE-2019-3462: Content injection in APT http method when using redirects'>Bug #16386</a></del>)

---
 vagrant/definitions/tails-builder/generate-tails-builder-box.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/vagrant/definitions/tails-builder/generate-tails-builder-box.sh b/vagrant/definitions/tails-builder/generate-tails-builder-box.sh
index 40f8f6feee..b7603235e9 100755
--- a/vagrant/definitions/tails-builder/generate-tails-builder-box.sh
+++ b/vagrant/definitions/tails-builder/generate-tails-builder-box.sh
@@ -47,6 +47,7 @@ fi
 # already exists
 rm -f "${TARGET_NAME}".*

+# FIXME: vmdebootstrap is orphaned/deprecated (<a class='issue tracker-1 status-7 priority-4 priority-default child' href='/code/issues/15349' title='Migrate away from vmdebootstrap (and possibly from Vagrant)'>Bug #15349</a>).
 sudo ${http_proxy:+http_proxy="$http_proxy"} \
      LC_ALL=${LC_ALL} \
      ARCHITECTURE=${ARCHITECTURE} \
-- 
2.20.1

#5 Updated by lamby 2019-01-24 10:08:20

  • Status changed from In Progress to Resolved
  • % Done changed from 0 to 100

Applied in changeset commit:tails|2eb76cd5422db6eadb939949294cdbc74caceb7e.

#6 Updated by intrigeri 2019-01-24 10:08:54

  • Assignee changed from intrigeri to lamby
  • Target version set to Tails_3.12
  • Feature Branch set to lamby/bugfix/16386-force-basebox-regeneration

> Attaching here as I can’t seem to push right now and I need to step away from the computer for a bit.

Thank you. Actually I might have given you mistaken guidance:

  • on the one hand, a dummy commit will force a regeneration, that much was correct
  • OTOH I think that even a freshly generated basebox will still use an outdated APT, due to us using frozen snapshots: vagrant/definitions/tails-builder/config/APT_snapshots.d; I might be wrong so I’ll push your patch to a branch, please check what happens in the build log on Jenkins.

#7 Updated by intrigeri 2019-01-24 10:14:23

  • Status changed from Resolved to In Progress
  • Priority changed from Normal to Elevated
  • % Done changed from 100 to 10

There you go: https://jenkins.tails.boum.org/view/Tails_ISO/job/build_Tails_ISO_lamby-bugfix-16386-force-basebox-regeneration/1/console

#8 Updated by lamby 2019-01-24 16:49:22

  • Assignee changed from lamby to intrigeri

> I think that even a freshly generated basebox will still use an outdated APT

Interesting. So, in the Jenkins log I see:

==> default: Get:3 http://time-based.snapshots.deb.tails.boum.org/debian-security/2019012401 stretch/updates/main amd64 apt amd64 1.4.9 [1232 kB]
==> default: Preparing to unpack .../archives/apt_1.4.9_amd64.deb ...
==> default: Unpacking apt (1.4.9) over (1.4.8) ...
==> default: Setting up apt (1.4.9) ...

So I would guess we are good here, unless we are updating “too late”?

#9 Updated by intrigeri 2019-01-24 17:01:37

  • Assignee changed from intrigeri to lamby

>

> ==> default: Get:3 http://time-based.snapshots.deb.tails.boum.org/debian-security/2019012401 stretch/updates/main amd64 apt amd64 1.4.9 [1232 kB]
> 

>

> ==> default: Preparing to unpack .../archives/apt_1.4.9_amd64.deb ...
> ==> default: Unpacking apt (1.4.9) over (1.4.8) ...
> ==> default: Setting up apt (1.4.9) ...
> 

> So I would guess we are good here, unless we are updating “too late”?

My understanding is that this upgrade is done using the vulnerable version of APT (i.e. the problem I suspected and described in my previous command). So our chain of trust is broken: an attacker could replace the presumably fixed apt 1.4.9 with arbitrary code. So I think we do need to bump the corresponding APT snapshot.

#10 Updated by lamby 2019-01-24 17:25:50

  • Status changed from In Progress to Resolved
  • % Done changed from 10 to 100

Applied in changeset commit:tails|09302df1790b87c99862a5ecf68de7e7fdeeba9f.

#11 Updated by lamby 2019-01-24 17:31:46

  • Assignee changed from lamby to intrigeri

> we do need to bump the corresponding APT snapshot.

How do we do that? I think I’m missing something given you’ve just set this to 100%? :)

#12 Updated by intrigeri 2019-01-24 17:47:46

  • Status changed from Resolved to In Progress

#13 Updated by intrigeri 2019-01-24 17:57:55

  • Assignee changed from intrigeri to lamby

>> we do need to bump the corresponding APT snapshot.

> How do we do that?

The short version is:

  1. Replace the content of the relevant vagrant/definitions/tails-builder/config/APT_snapshots.d/*/serial (in this case, I guess we need to at least bump the debian one, and perhaps the debian-security one too for consistency) with the ID of an existing snapshot of ours. E.g. one could pick the latest one, https://time-based.snapshots.deb.tails.boum.org/debian/project/trace/debian currently says 2019012403; the debian-security one may differ slightly (we have per-archive snapshots). Or to minimize impact, which would be great during a freeze, pick the oldest one from https://time-based.snapshots.deb.tails.boum.org/debian/dists/stable/snapshots/ that has the version of APT we want.
  2. Add a note here so the reviewer makes it so the snapshot(s) you picked is not garbage collected too early (we use Valid-Until as their expiration date and then we delete them; so to make a given snapshot live longer, we need to bump its Valid-Until).

For more background info, see https://tails.boum.org/contribute/APT_repository/time-based_snapshots/.

Of course, I could do all this pretty quickly myself but if you’re up to it, it’s a great opportunity for you to learn a bit more about this essential component of our infra & build system, especially relevant to you perhaps because a key part of reproducible Tails builds :) Now, if it’s not the right time for you to learn, feel free to reassign this ticket to me.

> I think I’m missing something given you’ve just set this to 100%? :)

FTR you’ve (indirectly) set this to 100% by using “Closes”.

#14 Updated by lamby 2019-01-24 18:13:11

  • Assignee changed from lamby to intrigeri
  • % Done changed from 100 to 10
2eb76cd542..bab95df389  lamby/bugfix/16386-force-basebox-regeneration -> lamby/bugfix/16386-force-basebox-regeneration

:)

commit bab95df38997ba477635699c7fba046899b75127
Author: Chris Lamb <chris@chris-lamb.co.uk>
Date:   Thu Jan 24 19:06:36 2019 +0100

    Bump the APT snapshot serial for debian{,-security} to ensure we pick up apt 1.4.9 for CVE-2019-3462. (refs: <del><a class='issue tracker-1 status-3 priority-5 priority-default closed child' href='/code/issues/16386' title='CVE-2019-3462: Content injection in APT http method when using redirects'>Bug #16386</a></del>)

diff --git a/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian-security/serial b/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian-security/serial
index ad22d0f18d..9d22097040 100644
--- a/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian-security/serial
+++ b/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian-security/serial
@@ -1 +1 @@
-2019011802
+2019012403
diff --git a/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian/serial b/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian/serial
index ad22d0f18d..9d22097040 100644
--- a/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian/serial
+++ b/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian/serial
@@ -1 +1 @@
-2019011802
+2019012403

#15 Updated by intrigeri 2019-01-25 08:16:23

  • Assignee changed from intrigeri to lamby
  • QA Check changed from Ready for QA to Dev Needed

The build logs confirm that the Vagrant box has APT 1.4.9 installed right from the start. It’s not 100% obvious as we don’t log the output of debootstrap but on a build that reuses an existing Vagrant box, one can see that the “I: Upgrading system…” step does not need to upgrade anything, which shows that the problem identified earlier on this ticket is fixed. So we’re good on the Vagrant box build process side. Woohoo!

Unfortunately, we’re not done yet: searching for “1.4.8” in the build log shows this:

22:48:15 I: Retrieving apt 1.4.8
22:48:15 I: Validating apt 1.4.8

… during live-build’s “Running debootstrap…” stage. (Of course, APT is later upgraded to 1.4.9 in the chroot, but similarly to the problem you’ve fixed for the Vagrant box, that upgrade is done using a vulnerable APT, so it cannot be trusted.) This explains it: “Checking component main on ”$“:http://time-based.snapshots.deb.tails.boum.org/debian/2019011802”. debootstrap run by live-build, will use the (frozen, pre-9.7) snapshot configured in config/APT_snapshots.d/debian/serial. AFAIK there’s no way to teach debootstrap to also use an additional APT repository (e.g. the security archive, that we don’t freeze, and that has the fix; or our custom APT repo, where we could upload the fixed APT). So the only way to fix this is to bump the APT snapshot in config/APT_snapshots.d/debian/serial. I hope it won’t upgrade too much stuff we don’t want to upgrade. I would advise to:

  1. try with the same snapshot you’ve picked for the Vagrant box (2019012403), because reusing the same would save disk space on our infra
  2. once the branch is updated, build and compare the resulting .packages and .build-manifest with those from 3.12~rc1 (you can get them by building from the 3.12-rc1 tag)
  3. if the diff is OK, move on; else, try picking the oldest possible snapshot that has the fix
  4. finally, as every time we pick a specific snapshot for long-term use, ask me to bump its expiration date

In any case, please look for “1.4.8” in the build logs to ensure we never, ever install it in the build process :)

Meanwhile, I’ve bumped the expiration date of the 2019012403 snapshot, for both the debian and debian-security archives.

#16 Updated by lamby 2019-01-25 08:34:01

+ bab95df389...2c512716de lamby/bugfix/16386-force-basebox-regeneration -> lamby/bugfix/16386-force-basebox-regeneration (forced update)

ie.

commit 2c512716de7315a14e394ff0e67b1ad6e7edf0c1
Author: Chris Lamb <chris@chris-lamb.co.uk>
Date:   Thu Jan 24 19:06:36 2019 +0100

    Bump the APT snapshot serial in the vagrant builder for "debian{,-security}" and "debian" for Tails itself to ensure we pick up apt 1.4.9 for CVE-2019-3462. (refs: <del><a class='issue tracker-1 status-3 priority-5 priority-default closed child' href='/code/issues/16386' title='CVE-2019-3462: Content injection in APT http method when using redirects'>Bug #16386</a></del>)

diff --git a/config/APT_snapshots.d/debian/serial b/config/APT_snapshots.d/debian/serial
index ad22d0f18d..9d22097040 100644
--- a/config/APT_snapshots.d/debian/serial
+++ b/config/APT_snapshots.d/debian/serial
@@ -1 +1 @@
-2019011802
+2019012403
diff --git a/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian-security/serial b/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian-security/serial
index ad22d0f18d..9d22097040 100644
--- a/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian-security/serial
+++ b/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian-security/serial
@@ -1 +1 @@
-2019011802
+2019012403
diff --git a/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian/serial b/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian/serial
index ad22d0f18d..9d22097040 100644
--- a/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian/serial
+++ b/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian/serial
@@ -1 +1 @@
-2019011802
+2019012403

Awaiting jenkins output…

#17 Updated by lamby 2019-01-25 14:08:13

  • Assignee changed from lamby to intrigeri

This is Build #4 :

09:05:03 I: Retrieving apt 1.4.9
09:05:03 I: Validating apt 1.4.9

There is no instance of 1.4.8 in the log.

#18 Updated by intrigeri 2019-01-25 15:30:26

Thanks. I’ll compare the resulting .{packages,build-manifest}.

#19 Updated by intrigeri 2019-01-25 15:46:34

  • Assignee changed from intrigeri to lamby

The diff between 3.12~rc1’s .{packages,build-manifest} files and the aforementioned build 4’s only have the expected APT upgrade, base-files (since Stretch 9.7 was released), and VirtualBox (5.2.22-dfsg-1~bpo9+1 → 5.2.24-dfsg-4~bpo9+1). At this time of our freeze I’d rather not take the VirtualBox upgrade without careful consideration, especially given I’m not aware of VirtualBox issues in 3.12~rc1.

Our first snapshot of the debian archive that has the upgrade of the VirtualBox binary packages is 2019012401. The previous snapshot (2019012304) hasn’t, but it does include the APT upgrade. So I would say let’s use 2019012304 instead of 2019012403. Makes sense?

#20 Updated by lamby 2019-01-25 16:03:39

  • Assignee changed from lamby to intrigeri

Good idea to check the .packages! :)

> first snapshot of the debian archive that has the upgrade of the VirtualBox binary packages is 2019012401. The previous snapshot (2019012304) hasn’t, but it does include the APT upgrade. So I would say let’s use 2019012304

Updated to use 2019012304 across all serials; assuming you meant that (somewhat ambiguous use of “debian”).

commit e43d76a8c7de1b2b4a21ca600458fe8e8ce14d04
Author: Chris Lamb <chris@chris-lamb.co.uk>
Date:   Fri Jan 25 16:52:26 2019 +0100

    Bump the APT snapshot serial in the vagrant builder for "debian{,-security}" and "debian" for Tails itself to ensure we pick up apt 1.4.9 for CVE-2019-3462. (refs: <del><a class='issue tracker-1 status-3 priority-5 priority-default closed child' href='/code/issues/16386' title='CVE-2019-3462: Content injection in APT http method when using redirects'>Bug #16386</a></del>)

diff --git a/config/APT_snapshots.d/debian/serial b/config/APT_snapshots.d/debian/serial
index ad22d0f18d..676c1459b2 100644
--- a/config/APT_snapshots.d/debian/serial
+++ b/config/APT_snapshots.d/debian/serial
@@ -1 +1 @@
-2019011802
+2019012304
diff --git a/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian-security/serial b/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian-security/serial
index ad22d0f18d..676c1459b2 100644
--- a/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian-security/serial
+++ b/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian-security/serial
@@ -1 +1 @@
-2019011802
+2019012304
diff --git a/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian/serial b/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian/serial
index ad22d0f18d..676c1459b2 100644
--- a/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian/serial
+++ b/vagrant/definitions/tails-builder/config/APT_snapshots.d/debian/serial
@@ -1 +1 @@
-2019011802
+2019012304

#21 Updated by intrigeri 2019-01-25 16:07:09

  • QA Check changed from Dev Needed to Ready for QA

> Updated to use 2019012304 across all serials; assuming you meant that (somewhat ambiguous use of “debian”).

That sounds fine. We could have left the debian-security archive at 2019012403, whose expiration date had already been bumped. But that won’t make a big difference either way (if any) so don’t bother. I’ll wait for an ISO build, will compare the artifacts with 3.12~rc1 again, will check other CI results and merge if Jenkins is happy enough :)

#22 Updated by intrigeri 2019-01-25 18:14:08

  • % Done changed from 10 to 70

Code review passes, .{packages,build-manifest} diffs are now exactly what we want \o/

Waiting for other CI checks and then I’ll merge.

Optimistically bumped the expiration date of the relevant APT snapshots.

#23 Updated by intrigeri 2019-01-25 20:43:30

  • Status changed from In Progress to Fix committed
  • % Done changed from 70 to 100

Applied in changeset commit:tails|c173e86f4eb6359d3527ec0338a3fb03d0338b56.

#24 Updated by intrigeri 2019-01-25 20:44:00

  • Assignee deleted (intrigeri)
  • QA Check changed from Ready for QA to Pass

Merged :)

#25 Updated by anonym 2019-01-30 11:50:45

  • Status changed from Fix committed to Resolved