[FIXED] Apt RCE announced. New Whonix images needed. Whonix build NOT safe at the moment.

Whonix build NOT safe at the moment.
Build happens in chroot but these aren’t safe against breakout. So building now could compromise a build machine.

Applies to Non-Qubes-Whonix only.
Qubes(-Whonix) build attempts to fix this.

Technical background:

Misery of Debian package repositories:

  • Debian package repository: contains vulnerable apt version.
  • security.debian.org Debian security fixes package repository: contains fixed apt version.

debootstrap is a popular Debian tool.

  • Also used by Whonix since Whonix uses grml-debootstrap which internally uses debootstrap to create base Debian images.
  • Also used by Whonix since Whonix uses cowbuilder to create packages which internally uses debootstrap.

debootstrap limitations:

  • It can only use the Debian package repository.
  • It can not use security.debian.org Debian security fixes package repository because that only contains packages that have security fixes but not all packages. So that repository cannot be used
  • debootstrap cannot use multiple repositories at once like apt-get can. It can only use one --mirror.

Build process usually:
Build Debian base image from Debian package repository and then upgrade from Debian package repository and Debian security repository.

Problem:
Exactly this upgrade is insecure.

Solution:

  • a) securely update apt after debootstrap inside base image and inside cowbuilder image, OR
  • b) multistrap
    • make grml-debootstrap use multistrap with multiple repositories and,
    • create cowbuilder image with multistrap with multiple repositories

Not exactly easy. So don’t hold your breath.