[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages that download/install unsecured files

Hash: SHA1

Leo "costela" Antunes schrieb:
> Hi,
> Patrick Matthäi wrote:
>> Maybe we should also think about the downloaded files itself.
>> A firmware for Linux or a plugin for firefox could do realy bad things.
>> In the case of geoip it is just a data file (like a .svg etc) with no
>> attacking vector. The attacker could only inject a corrupted database
>> and geoip will throw errors/false positions.
>> Is this realy a vector for it?
> GeoIP's database is AFAICT a binary format, which means the library
> could theoretically suffer from buffer-overflows and such. If this is
> indeed correct, you'd just need apache's mod-geoip, for instance, to put
> your server in potential trouble.

Sure if the library / program itself is vulnerable for it, then it is a
real problem.
I should be more precise:
Is it realy a problem if the user "just" gets a corrupted database?
There are _currently_ no known security issues in this way.
That is what I mean with "realy".

> Being strict, almost any format can be an attack vector in some way
> (phishing sites are another extreme example, and obviously one we
> shouldn't try to solve through the packaging system), but I somewhat
> agree with Christoph that we could draw the line on packages that
> perform automatic installations of binaries from external unchecked sources.
> Cheers

- --
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

E-Mail: pmatthaei@debian.org

Always if we think we are right,
we were maybe wrong.
Version: GnuPG v1.4.10 (GNU/Linux)


Reply to: