Package: flashplugin-nonfree
Version: 1:2.7
Severity: critical
Tags: security
Hi.
I'm currently looking at Debian packages which download and install
files from the internet (as their main content) whether they check the
validity of these files.
This package does not make any hashsum check (e.g. SHA512, which
should probably used) and fail installation if the hashes doesn't match.
That's why I've marked this bug as security critical.
This is especially critical, as you package includes executed content.
May I suggest the following:
1) Ship SHA512 sums of the downloaded contend with your package
(perhaps after you make some (at least rudimentary) checks for
malicious contents).
2) Check whether this matches with the sums of the downloaded files.
3) In case of mismatches, installation should fail, and all already
downloaded/installed files should be removed.
Thanks and best wishes,
Chris.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
