Merge pull request #4061 from freedomofpress/fix-cve-2019-3462

Upgrade apt without following redirects on first install, fix CVE-2019-3462

admin/Dockerfile

@@ -1,5 +1,5 @@
-# debian:stretch Thu Jan 25 08:58:24 CET 2018
-FROM debian@sha256:0a5fcee6f52d5170f557ee2447d7a10a5bdcf715dd7f0250be0b678c556a501b
+# debian:stretch 2019-01-22
+FROM debian@sha256:21ac5961a3038a839f6fa92ec4583c90f9eb6ca8f580598cde19d35d0f4d8fa6
 ARG USER_NAME
 ENV USER_NAME ${USER_NAME:-root}
 ARG USER_ID

install_files/ansible-base/roles/install-fpf-repo/tasks/main.yml

@@ -1,4 +1,6 @@
 ---
+- include: upgrade_apt.yml
+
 - name: Install SecureDrop apt repo GPG signing key.
   apt_key:
     state: present

install_files/ansible-base/roles/install-fpf-repo/tasks/upgrade_apt.yml

@@ -0,0 +1,43 @@
+---
+# Fix for CVE-2019-3462 (see https://justi.cz/security/2019/01/22/apt-rce.html)
+# If apt < 1.4.9, it is vulnerable to CVE-2019-3462 and we must ensure no
+# redirects are followed when updating apt via apt.
+- name: Upgrade apt without following redirects
+  shell : >
+    apt -o Acquire::http::AllowRedirect=false update &&
+    apt -o Acquire::http::AllowRedirect=false --only-upgrade -y install apt
+  become: yes
+  register: _apt_upgrade_command_output_results
+  changed_when: "'1 upgraded, 0 newly installed, 0 to remove' in _apt_upgrade_command_output_results.stdout"
+  tags: apt
+
+- name: Inform user that apt traffic is being redirected
+  assert:
+    that:
+      - "'302 Found' not in _apt_upgrade_command_output_results.stdout"
+      - "'302 Found' not in _apt_upgrade_command_output_results.stderr"
+    fail_msg: >-
+      It appears your apt traffic is being redirected.
+      SecureDrop cannot be installed. For details, see
+      https://github.com/freedomofpress/securedrop/issues/4058
+
+- name: Get apt version
+  shell: dpkg-query --showformat='${Version}' --show apt
+  register: _apt_query_command_output_result
+  changed_when: false
+  tags:
+    - apt
+
+- name: Verify that the version of apt installed is not vulnerable to 2019-3462 (Xenial)
+  assert:
+    that: _apt_query_command_output_result.stdout is version('1.2.29ubuntu0.1', '>=')
+  when: ansible_distribution_release == 'xenial'
+  tags:
+    - apt
+
+- name: Verify that the version of apt installed is not vulnerable to 2019-3462 (Trusty)
+  assert:
+    that: _apt_query_command_output_result.stdout is version('1.0.1ubuntu2.19', '>=')
+  when: ansible_distribution_release == 'trusty'
+  tags:
+    - apt

molecule/builder/Dockerfile

@@ -1,5 +1,5 @@
-# ubuntu:trusty-20180531
-FROM ubuntu@sha256:885bb6705b01d99544ddb98cbe4e4555d1efe1d052cef90832e72a0688ac6b37
+# ubuntu:trusty-20190122
+FROM ubuntu@sha256:cac55e5d97fad634d954d00a5c2a56d80576a08dcc01036011f26b88263f1578
 
 # additional meta-data makes it easier to clean up, find
 LABEL org="Freedom of the Press"

molecule/builder/image_hash

@@ -1,2 +1,2 @@
-# sha256 digest quay.io/freedomofpress/sd-docker-builder:2018_12_11
-5b9b9e66db6d4fda0d82062b6ca715e04d8e2ef2c0065c41a6b7bb8c6062a07d
+# sha256 digest quay.io/freedomofpress/sd-docker-builder:2019_01_23
+39033e3a452fd18c0e58abe8e693180ff2cb18fdf4083b293c069bbca64b8ac8

securedrop/dockerfiles/trusty/Dockerfile

@@ -1,5 +1,5 @@
-# ubuntu:14.04 as of 2018-06-19
-FROM ubuntu@sha256:885bb6705b01d99544ddb98cbe4e4555d1efe1d052cef90832e72a0688ac6b37
+# ubuntu:14.04 as of 2019-01-22
+FROM ubuntu@sha256:cac55e5d97fad634d954d00a5c2a56d80576a08dcc01036011f26b88263f1578
 ARG USER_NAME
 ENV USER_NAME ${USER_NAME:-root}
 ARG USER_ID

securedrop/dockerfiles/xenial/Dockerfile

@@ -1,5 +1,5 @@
-# ubuntu 16.04 image - 01-2019
-FROM ubuntu@sha256:b967b9f2a5625231a22db642609e61b7b1a5481128f51fe771e91bb92e0a35d0
+# ubuntu 16.04 image - 2019-01-22
+FROM ubuntu@sha256:e4a134999bea4abb4a27bc437e6118fdddfb172e1b9d683129b74d254af51675
 ARG USER_NAME
 ENV USER_NAME ${USER_NAME:-root}
 ARG USER_ID