Re: Packages that download/install unsecured files
On Thu, 17 Sep 2009 21:37:24 +0200, Patrick Matthäi <pmatthaei@debian.org>
wrote:
> Maybe we should also think about the downloaded files itself.
> A firmware for Linux or a plugin for firefox could do realy bad things.
Yes true,.. for firefox this is (IMHO) a very big problem,.. many plugins
out there,.. lots of them are not open source at all, the update goes often
via the upstream website (AFAIK) and not via addons.mozilla.org..
So the ideal way for FF plugins is to have them packaged.
> In the case of geoip it is just a data file (like a .svg etc) with no
> attacking vector. The attacker could only inject a corrupted database
> and geoip will throw errors/false positions.
>
> Is this realy a vector for it?
1) Generally yes,... because these files are somehow interpreted and most
of those applications have security holes (just think of png and libpng).
But with these kind of programs (rkhunter, clamav) its even more severe
than with libpng,.. some of them run as root,.. while libpng (or similar
things) run mostly as normal user.
2) For geoip it's even more specific,...
geoip data is often used for firewall rules or similar,.. one don't want to
have these data messed up by an attacker,.. this wouldn't just lead to
"false positives".
Of course this does not answer the question, if or how we could trust the
upstream source of this data ;)
Cheers,
Chris,
Reply to: