[Bug 1320223] Re: ldlinux.sys is inconsistently installed

Marc Deslauriers marc.deslauriers at canonical.com
Fri May 23 19:00:44 UTC 2014 

> There should be a way to verify that a given boot image derived from
an Ubuntu ISO is actually valid

Why? You should be validating the original ISO that you download, not
the image you generate yourself.

> For the record, this behavior technically isn't a bug, but it's so
potentially dangerous because authentication is effectively impossible

I don't understand this. The image needs to be generated on a trusted computer with a validated ISO.
We do not provide any downloadable images, only ISOs.

** Changed in: usb-creator (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to usb-creator in Ubuntu.
https://bugs.launchpad.net/bugs/1320223

Title:
  ldlinux.sys is inconsistently installed

Status in “usb-creator” package in Ubuntu:
  Invalid

Bug description:
  Summary:

  There should be a way to verify that a given boot image derived from
  an Ubuntu ISO is actually valid (and md5sum.txt is not helpful here).
  In particular, it appears that ldlinux.sys is being inherited from the
  machine on which Startup Disk Creator is being run. (I can't 100%
  confirm this, but it's the only way that I can explain the same ISO
  giving rise to different instances of this file in the resulting
  image.)

  It appears that this is being done because these ISO images don't
  actually contain their own version of ldlinux.sys. For the sake of
  consistency, and thus verifiable security, that's a problem if it's
  true.

  For the record, this behavior technically isn't a bug, but it's so
  potentially dangerous because authentication is effectively impossible
  (think: a large network of infected machines, all producing consistent
  but wrong versions of ldlinux.sys). The quick and easy way to (mostly)
  fix this without any code changes is just to publish SHA256s of
  acceptable ldlinux.sys files on the usual release notes page with the
  ISO hashes.

  Boot sector authentication is another serious concern, but I don't
  want to create another bug report about that at the moment.

  Details:

  http://askubuntu.com/questions/466619/how-to-authenticate-a-startup-
  disk-image

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: usb-creator-gtk 0.2.56
  ProcVersionSignature: Ubuntu 3.13.0-24.47-generic 3.13.9
  Uname: Linux 3.13.0-24-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.1
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Fri May 16 08:39:27 2014
  EcryptfsInUse: Yes
  ExecutablePath: /usr/bin/usb-creator-gtk
  InstallationDate: Installed on 2014-05-14 (2 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
  InterpreterPath: /usr/bin/python3.4
  ProcEnviron:
   LANGUAGE=en_US
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: usb-creator
  UDisksDump: Error: [Errno 2] No such file or directory: 'udisks'
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/usb-creator/+bug/1320223/+subscriptions

More information about the foundations-bugs mailing list