Re: Unofficial binary Debian packages considered insecure?

To: "Niels L. Ellegaard" <gnalle@ruc.dk>
Cc: debian-user@lists.debian.org
Subject: Re: Unofficial binary Debian packages considered insecure?
From: Osamu Aoki <osamu@debian.org>
Date: Fri, 28 May 2004 23:07:39 +0200
Message-id: <[🔎] 20040528210739.GA8884@aokiconsulting.com>
Mail-followup-to: "Niels L. Ellegaard" <gnalle@ruc.dk>, debian-user@lists.debian.org
In-reply-to: <[🔎] 7w8yfcqq8i.fsf@i19.ruc.dk>
References: <[🔎] 7w8yfcqq8i.fsf@i19.ruc.dk>

On Fri, May 28, 2004 at 09:57:33PM +0200, Niels L. Ellegaard wrote:
> 
> I have been looking at a few of the the sites that offer unofficial
> debian packages, and I am somewhat confused about the security issues.
> I am not a great Linux guru, so I wonder how easy it would be to hide
> a rootkit in a binary package and submit it to apt-get.org or
> backports.org. Is this a serious risk or am I just being paranoid?

You are right.

Basically installing a *.deb package means providing the package creator
of this package to gain root on your system and run any command he
wishes.

It can install root kit, or worse, it can run "rm -rf /" or "dd
if=/dev/urandom of=/dev/hda" through postinst script if it is a
malicoius package.

So do not play with those packages on your mission critical machine
without checking them.

Osamu

Reply to:

References:
- Unofficial binary Debian packages considered insecure?
  - From: gnalle@ruc.dk (Niels L. Ellegaard)

Prev by Date: Re: Debian downgrade from unstable to testing
Next by Date: scsi under sarge
Previous by thread: Unofficial binary Debian packages considered insecure?
Next by thread: Re: Unofficial binary Debian packages considered insecure?
Index(es):
- Date
- Thread