Re: flashplugin-nonfree get-upstream-version.pl security concern

[Henrik Ahlgren <pablo@seestieto.com>]

On Wed, Dec 12, 2012 at 05:52:31PM +0000, adrelanos wrote:
> Since get-upstream-version.pl runs as root it can do anything.
> 
> I don't accuse him personally for anything. But should he ever be
> compromised (forced, evil maid, etc...) it's very easy to mount a
> stealth attack.

I would worry more about the Adobe's web site getting compromised.
The get-upstream-version.pl script fetches the link to the Flash
player from www.adobe.com and then the download page:

open INPUT, "wget --user-agent=\"$user_agent\" -qO - $url |" or die;

It runs wget using the shell and there is basically no validation for
what $url contains. Even if taint mode was used, this would untaint
the value no matter what it happens to contain:

$page =~ m,<a href="([^"]+)">Adobe Flash Player</a>,s
        or die "link to Adobe Flash Player not found on $url";

my $link_to_flash = $1;

What would happen if the link happened to contain "; some nasty
command"?

Given Adobe's security track record with their software products, I
would not trust their web site too much. In fact, I would not like
to run that kind of script against any normal corporate web site,
especially non-https one!