Re: flashplugin-nonfree get-upstream-version.pl security concern
On Wed, Dec 12, 2012 at 05:52:31PM +0000, adrelanos wrote:
> Hi,
>
> I do not want to discuss security implications of the upstream closed
> source Adobe Flash plugin. This is about how the Flash plugin is
> downloaded and installed in Debian.
>
> /usr/sbin/update-flashplugin-nonfree downloads get-upstream-version.pl
> http://people.debian.org/~bartm/flashplugin-nonfree/get-upstream-version.pl.gz.pgp
> stores it in /tmp/xxx, runs it and deletes /tmp/xxx.
It should at least use a non-predictable tempfile (using tempfile(1) )
Please file bug for that.
> Since get-upstream-version.pl runs as root it can do anything.
>
> I don't accuse him personally for anything. But should he ever be
> compromised (forced, evil maid, etc...) it's very easy to mount a
> stealth attack.
>
> Also reviewing get-upstream-version.pl is cumbersome, you either have to
> be fast enough to catch it in /tmp/xxx or to download and decrypt it
> manually using his gpg key.
>
> So far it looks clean. But that's not best security practice?
>
> What is Debian policy on code execution from user websites?
There are a few downloaders like this in contrib/non-free.
This is one of the better ones; after all you need to trust
every DD not to muck with your systems (postinst scripts run as root, e.g.)
Plus, installing Flash opens the Pandora's box anyway
Cheers,
Moritz
Reply to: