Linux Dev Setup Downloads Unsigned Packages Over HTTP

[geeknik]

Summary

The automated Linux setup script retrieves libtinfo5 via wget http://security.ubuntu.com/... and immediately installs it with sudo apt install ./libtinfo5.... The download is plaintext HTTP with no checksum or signature verification, enabling code execution as root via MITM or DNS poisoning.

STR

1. Run node -e "require('./npm_modules/cli/dist/setup/linuxSetup').linuxSetup()" (or inspect the TypeScript source) to see the commands at lines 16‑19.
2. Place the developer on an untrusted network and ARP-spoof security.ubuntu.com, serving a malicious .deb.
3. When the script runs, the forged package is installed with root privileges, giving the attacker persistence on every developer workstation.

Remediation

Drop manual HTTP downloads. Install libtinfo5 from the official HTTPS apt repository (which enforces GPG signatures), or download over HTTPS and verify a published checksum/signature before calling sudo apt install.

Impact

Compromised developer machines become a launchpad for supply-chain attacks against Valdi and any consumer of the framework. Root-level compromise also exposes credentials, signing keys, and unreleased code.

[pravinkuyate]

Replace insecure HTTP .deb download with sudo apt-get install libtinfo5 from the distro repository. If an offline install is required, download artifacts only over HTTPS and verify GPG-signed SHA256SUMS before installing. Add CI checks to ensure all packaged .deb artifacts include a signed checksum.