Re: flashplugin-nonfree get-upstream-version.pl security concern

To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: adrelanos <adrelanos@riseup.net>, debian-security@lists.debian.org, bartm@debian.org, security@debian.org
Subject: Re: flashplugin-nonfree get-upstream-version.pl security concern
From: Mike Mestnik <cheako+debian-security@mikemestnik.net>
Date: Thu, 13 Dec 2012 08:56:25 -0600
Message-id: <[🔎] 50C9EC99.3070306@mikemestnik.net>
In-reply-to: <[🔎] 20121212180207.GA9446@pisco.westfalen.local>
References: <[🔎] 50C8C45F.1050404@riseup.net> <[🔎] 20121212180207.GA9446@pisco.westfalen.local>

On 12/12/12 12:02, Moritz Mühlenhoff wrote:> On Wed, Dec 12, 2012 at
05:52:31PM +0000, adrelanos wrote:
>> Hi,
>>
>> I do not want to discuss security implications of the upstream closed
>> source Adobe Flash plugin. This is about how the Flash plugin is
>> downloaded and installed in Debian.
>>
>> /usr/sbin/update-flashplugin-nonfree downloads get-upstream-version.pl
>>
http://people.debian.org/~bartm/flashplugin-nonfree/get-upstream-version.pl.gz.pgp
>> stores it in /tmp/xxx, runs it and deletes /tmp/xxx.
>
> It should at least use a non-predictable tempfile (using tempfile(1) )
>
> Please file bug for that.
>
>> Since get-upstream-version.pl runs as root it can do anything.
>>
>> I don't accuse him personally for anything. But should he ever be
>> compromised (forced, evil maid, etc...) it's very easy to mount a
>> stealth attack.
>>
>> Also reviewing get-upstream-version.pl is cumbersome, you either have to
>> be fast enough to catch it in /tmp/xxx or to download and decrypt it
>> manually using his gpg key.
>>
>> So far it looks clean. But that's not best security practice?
>>
>> What is Debian policy on code execution from user websites?
>
> There are a few downloaders like this in contrib/non-free.
> This is one of the better ones; after all you need to trust
> every DD not to muck with your systems (postinst scripts run as root,
e.g.)
>
Hmm, I think most users will take the meaning of this Debian package to
be that it downloads content from Adobe.  Users are well within sane
reasoning to be surprised that it downloads content from anywhere
else... and then precedes to run said content as root.

Strictly speaking the content of a package should have been vetted by
FTP Masters for copyright violations and the like.  As contrib/non-free
and specifically this package is a means to circumvent this, it should
not be allowed to do so without restrictions.  Specifically the
copyright on this file could change at any time, exposing users to legal
problems.  As for Adobe, lets assume that the user has a good working
relationship and/or contracts and are otherwise on the best of terms.
This is where "Who" the content is coming from plays a big role.

Just my thoughts.

> Plus, installing Flash opens the Pandora's box anyway
>
This is not the issue as stated in the first paragraph, safely ignore
this for the sake of a healthy discussion.  Arguments along this line
are just plain ugly, for both sides.

> Cheers,
>         Moritz
>
>
>

Reply to:

References:
- flashplugin-nonfree get-upstream-version.pl security concern
  - From: adrelanos <adrelanos@riseup.net>
- Re: flashplugin-nonfree get-upstream-version.pl security concern
  - From: Moritz Mühlenhoff <jmm@inutil.org>

Prev by Date: Re: flashplugin-nonfree get-upstream-version.pl security concern
Next by Date: Re: flashplugin-nonfree get-upstream-version.pl security concern
Previous by thread: Re: flashplugin-nonfree get-upstream-version.pl security concern
Next by thread: Re: flashplugin-nonfree get-upstream-version.pl security concern
Index(es):
- Date
- Thread