On 12/12/12 13:10, Henrik Ahlgren wrote: > On Wed, Dec 12, 2012 at 05:52:31PM +0000, adrelanos wrote: >> Since get-upstream-version.pl runs as root it can do anything. >> >> I don't accuse him personally for anything. But should he ever be >> compromised (forced, evil maid, etc...) it's very easy to mount a >> stealth attack. > > I would worry more about the Adobe's web site getting compromised. > The get-upstream-version.pl script fetches the link to the Flash > player from www.adobe.com and then the download page: > > open INPUT, "wget --user-agent=\"$user_agent\" -qO - $url |" or die; > > It runs wget using the shell and there is basically no validation for > what $url contains. Even if taint mode was used, this would untaint > the value no matter what it happens to contain: > > $page =~ m,<a href="([^"]+)">Adobe Flash Player</a>,s > or die "link to Adobe Flash Player not found on $url"; > > my $link_to_flash = $1; > > What would happen if the link happened to contain "; some nasty > command"? > The link($1) can't contain a ", but a few others(I.E ') should be added to this list and use... open INPUT, "wget --user-agent=\"$user_agent\" -qO - \"$url\" |" or die; or open INPUT, "wget --user-agent='$user_agent' -qO - '$url' |" or die;
> Given Adobe's security track record with their software products, I > would not trust their web site too much. In fact, I would not like > to run that kind of script against any normal corporate web site, > especially non-https one! > Validation of retrieved content should also be the responsibility of this package. There should be signature files as part of a volatile(or whatever replaced that) package, using only files that have been signed by a DD seams like a good item to have added to Policy. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/50c9f69e.3040...@mikemestnik.net
