[Pkg-haskell-maintainers] Bug#756334: Configure script downloads files from the Internet

[Evgeny Kapun]

Package: hoogle
Version: 4.2.33-1+b1
Severity: critical
Tags: security

During configuration, hoogle postinst script attempts to download a file from the URL <http://hackage.haskell.org/packages/hoogle.tar.gz> and subsequently unpack it. Moreover, the integrity of this file is not verified.

This leads to the following possible attacks:
* An attacker controlling the user's network connection may indefinitely delay the configuration of hoogle package by supplying data at a very low rate, even if package files themselves are available from local source.
* The same attacker may supply bogus data instead of the file. This may not only lead to hoogle behaving in an erroneous manner, but may also lead to a full system compromise. For example, the archive may contain a malicious executable file marked SUID root, and local unprivileged user (who also participates in the attack) may run this file after it is extracted. The archive may also contain symlinks and device nodes, which can also be used for attack.
* The same attacker may supply a very large file, filling the system partition and achieving denial of service. He may also supply a small file which becomes very large after un-gzipping.

My suggestion is that downloading files in a secure manner is hard, and maintainer scripts probably shouldn't be doing it.