Am 18.02.2012 13:32, schrieb Jakub Wilk:
I'll add to the list:
- Packages that download and run untrusted code at build time.
May I add a similar case...
Take the non-free flash as example... (yeah I know it's non-free and
not officially sec-supported)..
Even if it would use some SHA512 sums (hardcoded into the package) to
verify the download (I don't know whether it does),.. the update
mechanism is still outsite of the package management system (on has to
call update-flash or something like that)... so you bypass the whole
central point of update management.
FWIW, the Contents files _are_ signed, but AFAICS apt-file doesn't
verify the signature.
See #515942.
But why is that a big deal?
What do you mean? Of not verifying it? Well as always someone can
attack you if you somehow (for whatever reason) rely on the information
being correct.
Moreover, if there is some automatic parsing of those files, you can
also easily think of attack vectors by manipulating files,..
Could you point us to those which were ignored or denied?
Phew... would have to do a lot of digging in my mails and bug reports
to find them out again.
Cheers,
Chris.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1ef6a4f196a3cdd6cab0b5940cbf4...@scientia.net
