[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Access to online resources in maintainer scripts

CC debian-security

I created bug report #756334 as a real life example of such downloads leading to several security vulnerabilities (remote denial of service, local privilege elevation, possibly other). I think that many other packages that download files during configuration have at least some of those vulnerabilities. That's one of the reason why this should be regulated, and regulated pretty strictly. In general, more attention should be drawn to the security of maintainer scripts.

On 28.07.2014 00:07, Evgeny Kapun wrote:
> There are several packages which download files from the Internet at configuration time. Most of them are non-free packages which can't include these files for legal reasons. In general, such behavior is very inconvenient, because it prevents such packages from being installed on offline systems where package files are transferred using some other mechanism (e.g. offline mirror). Also some of these packages may not verify integrity of these files, which may result in these packages being insecure.
> Currently, I haven't found such behavior regulated or even mentioned in Debian Policy Manual or any other regulatory documents. I think that the following rules should be added:
> * Access to network from maintainer scripts should be only allowed for non-free packages, only to download data that can't be included into the package for legal reasons. Such download should take place at configure time.
> * Integrity of all downloaded data should be checked, probably by using cryptographic hashes stored in the package itself.
> * Packages should behave in a certain consistent manner in the case the network is not available.
> * There should be a switch that would disable network access for maintainer scripts, in case it is not desirable. There should probably also be a way to transfer these files manually or to provide an alternative location for them.
> There should probably also be some helper script which maintainer scripts could use to easily do all of the above.
> Alternatively, it may be better to modify the package manager to handle the task of downloading these files. Perhaps a special header in package metadata would include URLs of the necessary files and their checksums.
> Any suggestions?

Reply to: