Re: Packages that download/install unsecured files
Patrick Matthäi wrote:
> Maybe we should also think about the downloaded files itself.
> A firmware for Linux or a plugin for firefox could do realy bad things.
> In the case of geoip it is just a data file (like a .svg etc) with no
> attacking vector. The attacker could only inject a corrupted database
> and geoip will throw errors/false positions.
> Is this realy a vector for it?
GeoIP's database is AFAICT a binary format, which means the library
could theoretically suffer from buffer-overflows and such. If this is
indeed correct, you'd just need apache's mod-geoip, for instance, to put
your server in potential trouble.
Being strict, almost any format can be an attack vector in some way
(phishing sites are another extreme example, and obviously one we
shouldn't try to solve through the packaging system), but I somewhat
agree with Christoph that we could draw the line on packages that
perform automatic installations of binaries from external unchecked sources.
Leo "costela" Antunes
[insert a witty retort here]