[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages that download/install unsecured files



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leo "costela" Antunes schrieb:
> Hi,
> 
> Patrick Matthäi wrote:
>> Maybe we should also think about the downloaded files itself.
>> A firmware for Linux or a plugin for firefox could do realy bad things.
>>
>> In the case of geoip it is just a data file (like a .svg etc) with no
>> attacking vector. The attacker could only inject a corrupted database
>> and geoip will throw errors/false positions.
>>
>> Is this realy a vector for it?
> 
> GeoIP's database is AFAICT a binary format, which means the library
> could theoretically suffer from buffer-overflows and such. If this is
> indeed correct, you'd just need apache's mod-geoip, for instance, to put
> your server in potential trouble.

Sure if the library / program itself is vulnerable for it, then it is a
real problem.
I should be more precise:
Is it realy a problem if the user "just" gets a corrupted database?
There are _currently_ no known security issues in this way.
That is what I mean with "realy".

> 
> Being strict, almost any format can be an attack vector in some way
> (phishing sites are another extreme example, and obviously one we
> shouldn't try to solve through the packaging system), but I somewhat
> agree with Christoph that we could draw the line on packages that
> perform automatic installations of binaries from external unchecked sources.
> 
> Cheers
> 


- --
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

E-Mail: pmatthaei@debian.org
        patrick@linux-dev.org

Comment:
Always if we think we are right,
we were maybe wrong.
*/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkqynHQACgkQ2XA5inpabMfiUQCdFf6gjXFwicnax/JB3W0LILlq
ll0AoKCI9Nw0dOj3SPJKKZlWMAWJ1llA
=L6uy
-----END PGP SIGNATURE-----


Reply to: