[Pkg-haskell-maintainers] Bug#756334: Bug#756334: Configure script downloads files from the Internet

Joachim Breitner nomeata at debian.org
Tue Jul 29 07:33:06 UTC 2014 

Control: tag -1 + upstream confirmed

Hi,

Iustin Pop is working on this, and finding a solution together with
upstream:
https://github.com/ndmitchell/hoogle/issues/76

Greetings,
Joachim

Am Montag, den 28.07.2014, 23:02 +0200 schrieb Evgeny Kapun:
> Package: hoogle
> Version: 4.2.33-1+b1
> Severity: critical
> Tags: security
> 
> During configuration, hoogle postinst script attempts to download a file from the URL <http://hackage.haskell.org/packages/hoogle.tar.gz> and subsequently unpack it. Moreover, the integrity of this file is not verified.
> 
> This leads to the following possible attacks:
> * An attacker controlling the user's network connection may indefinitely delay the configuration of hoogle package by supplying data at a very low rate, even if package files themselves are available from local source.
> * The same attacker may supply bogus data instead of the file. This may not only lead to hoogle behaving in an erroneous manner, but may also lead to a full system compromise. For example, the archive may contain a malicious executable file marked SUID root, and local unprivileged user (who also participates in the attack) may run this file after it is extracted. The archive may also contain symlinks and device nodes, which can also be used for attack.
> * The same attacker may supply a very large file, filling the system partition and achieving denial of service. He may also supply a small file which becomes very large after un-gzipping.
> 
> My suggestion is that downloading files in a secure manner is hard, and maintainer scripts probably shouldn't be doing it.
> 
> _______________________________________________
> Pkg-haskell-maintainers mailing list
> Pkg-haskell-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-haskell-maintainers
> 

-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata at debian.org | ICQ# 74513189 | GPG-Keyid: F0FBF51F
  JID: nomeata at joachim-breitner.de | http://people.debian.org/~nomeata

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-haskell-maintainers/attachments/20140729/083f149a/attachment-0001.sig>

More information about the Pkg-haskell-maintainers mailing list