Re: Packages that download/install unsecured files
-----BEGIN PGP SIGNED MESSAGE-----
Leo "costela" Antunes schrieb:
> Patrick Matthäi wrote:
>> Maybe we should also think about the downloaded files itself.
>> A firmware for Linux or a plugin for firefox could do realy bad things.
>> In the case of geoip it is just a data file (like a .svg etc) with no
>> attacking vector. The attacker could only inject a corrupted database
>> and geoip will throw errors/false positions.
>> Is this realy a vector for it?
> GeoIP's database is AFAICT a binary format, which means the library
> could theoretically suffer from buffer-overflows and such. If this is
> indeed correct, you'd just need apache's mod-geoip, for instance, to put
> your server in potential trouble.
Sure if the library / program itself is vulnerable for it, then it is a
I should be more precise:
Is it realy a problem if the user "just" gets a corrupted database?
There are _currently_ no known security issues in this way.
That is what I mean with "realy".
> Being strict, almost any format can be an attack vector in some way
> (phishing sites are another extreme example, and obviously one we
> shouldn't try to solve through the packaging system), but I somewhat
> agree with Christoph that we could draw the line on packages that
> perform automatic installations of binaries from external unchecked sources.
Mit freundlichem Gruß / With kind regards,
GNU/Linux Debian Developer
Always if we think we are right,
we were maybe wrong.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----