[Pkg-net-snmp-devel] Bug#559997: libsnmp-base: Makefile.mib should provide stronger integrity checks for downloaded material

[Daniel Kahn Gillmor]

Package: libsnmp-base
Version: 5.4.2.1~dfsg-3
Severity: wishlist

Makefile.mib fetches a lot of data from the network that isn't
DFSG-redistributable.  But then that data then appears to be
relied-upon by other parts of the SNMP infrastructure.  It would be
good to ensure that the data fetched from the network actually matches
the content we expect it to be.

While the data itself may not be redistributable within debian's
guidelines, I don't think there would be anything wrong with shipping
a cryptographic checksum (an SHA-256 sum, for example) of each piece
of data we expect to fetch, and avoid installing the material if the
fetched/transformed data doesn't match the expected checksum.

Without such an integrity check, it seems like this package
potentially opens a computer to some form of abuse by an attacker with
control over the network.

Of course, such a scheme wouldn't work if the data being fetched is
volatile.  But is it?  I don't know enough about SNMP and MIBs to
answer.

Thanks for maintaining SNMP in debian!

Regards,

    --dkg

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.31-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libsnmp-base depends on:
ii  debconf [debconf-2.0]     1.5.28         Debian configuration management sy
ii  gawk                      1:3.1.6.dfsg-4 GNU awk, a pattern scanning and pr
ii  make                      3.81-7         An utility for Directing compilati
ii  wget                      1.12-1.1       retrieves files from the web

libsnmp-base recommends no packages.

libsnmp-base suggests no packages.

-- debconf information:
* libsnmp-base/download_mibs: false