On 02/25/2014 08:08 PM, Florian Weimer wrote:
Hmm, interesting. Yes, a reproducer would be good. Can you also elaborate on "hostile network"? Did you write custom scripts to target OSTree content or are you using something generic which just corrupts generic HTTP requests?It was a misbehaving custom script. I'll try to recreate the situation.
Here it is. You need to forward network traffic to it as a transparent proxy and run "ostree admin upgrade", e.g.:
# iptables -t nat -I PREROUTING -s 192.168.122.0/24 -p tcp --dport 80 -j REDIRECT --to-ports 3128
# iptables -I INPUT -i virbr0 -p tcp --dport 3128 -j ACCEPTBTW, I just noticed that a no-op "ostree admin upgrade" prints "Refspec (null) is unchanged", which looks like a bug.
-- Florian Weimer / Red Hat Product Security Team
Attachment:
proxy.pl
Description: Perl program