Re: flashplugin-nonfree get-upstream-version.pl security concern
On 12/12/12 13:10, Henrik Ahlgren wrote:
> On Wed, Dec 12, 2012 at 05:52:31PM +0000, adrelanos wrote:
>> Since get-upstream-version.pl runs as root it can do anything.
>>
>> I don't accuse him personally for anything. But should he ever be
>> compromised (forced, evil maid, etc...) it's very easy to mount a
>> stealth attack.
>
> I would worry more about the Adobe's web site getting compromised.
> The get-upstream-version.pl script fetches the link to the Flash
> player from www.adobe.com and then the download page:
>
> open INPUT, "wget --user-agent=\"$user_agent\" -qO - $url |" or die;
>
> It runs wget using the shell and there is basically no validation for
> what $url contains. Even if taint mode was used, this would untaint
> the value no matter what it happens to contain:
>
> $page =~ m,<a href="([^"]+)">Adobe Flash Player</a>,s
> or die "link to Adobe Flash Player not found on $url";
>
> my $link_to_flash = $1;
>
> What would happen if the link happened to contain "; some nasty
> command"?
>
The link($1) can't contain a ", but a few others(I.E ') should be added
to this list and use...
open INPUT, "wget --user-agent=\"$user_agent\" -qO - \"$url\" |" or die;
or
open INPUT, "wget --user-agent='$user_agent' -qO - '$url' |" or die;
> Given Adobe's security track record with their software products, I
> would not trust their web site too much. In fact, I would not like
> to run that kind of script against any normal corporate web site,
> especially non-https one!
>
Validation of retrieved content should also be the responsibility of
this package. There should be signature files as part of a volatile(or
whatever replaced that) package, using only files that have been signed
by a DD seams like a good item to have added to Policy.
Reply to: