Source: swupdate
Version: 2022.05-2
Severity: normal
Tags: patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

It seems from reading source code, that swupdate hardcodes the use of
Google DNS resolver 8.8.8.8, which is used as fallback when system is
badly configured to not set a resolver.

This is problematic, because it is a scenario rarely tested, and a
situation where arguably you would expect a failure instead of silently
leaking privacy information to Google.

Specifically, swupdate embeds mongoose which by default defines
MG_DEFAULT_NAMESERVER=8.8.8.8, and this has not been overridden in the
project code.

I guess this can be addressed by extending the file
debian/configs/defconfig to also set
DEFINE_MG_DEFAULT_NAMESERVER=0.0.0.0


Setting severity of this bugreport only to "normal" due to the rare
circumstance it can occur and the lack of actual testing of the claim.

Thanks to Bastian Germann for nudging me to file this bugreport, and
apologies for only leaving a too vague note for several years at
https://wiki.debian.org/PrivacyIssues


 - Jonas

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAmNnsa8ACgkQLHwxRsGg
ASHh6hAAndNu4T1rR85G58zIKGYldRrcwMcNxcSDeaggX5iffhN933xNaWd2FDuK
qON66EtvxzoaIe8G+6d66Yw9ehqNO4eGtoQU7qFgvZ8PhAPeoERMXA49ZWsdfBbB
w1OmiL2D/bOq/Fq11a8Dvs6gHM67drT+wdenUlcxD+fkRyYxqpo1QYt5j2VSmevo
glf3SkH2HB6SKxrtbpER3KcdiPXilyYkMbnTpdz6OHpWeloDS/Y4oY2JICNWRCDG
LCLE1ShRWFlNmXz8kTuStbjTK4c0tkfZFd+M6nVCNqYFgVC7svHCgEOmPnpDL9YK
kgB4dvLalcOQNS9ju40uMMNzwqGuWy79ZmiKeSgFxuHXFMv4071WeuUKrfRAEvdr
R2icrg0KaERH6DpYMkfAdIAKCTrtXF6kNBd/JQXitrRI/AoPbxGNeghKG0I6VN4l
gJFSstp0P2DsyTnCGk+Vf1F1LoUcQlmuqgokHAandcRbhvqH/dJQj2aDUhG4hWIj
5LusdtWC9fn9UhYYTNrGjqeEBCsQ7L+TRMIPbwagM2EaBXVlRdhzAv1qYkxuLSwL
Drkkoa2cwyIq1XYv3ra8I6+AU3gD6zPpsLVdIn0PadXqFuhcOlhxMRhCz+yuKtyG
WTV+ukRwzRHLF/Zb+KZjrNbKUxgVgojSxXEvimjNWxjUsZAg42E=
=YxRy
-----END PGP SIGNATURE-----

Reply via email to