Package: usbutils
Version: 1:007-4
Severity: important

Debian bugs #804299 and #805328 made me realize that update-usbids also has 
the same problem of downloading unauthenticated data from the web and then 
parsing it, potentially being open to potential exploits in the parser. The 
risk is probably less than update-smart-drivedb, which might potentially 
take action based on the data that could result in drive damage, I suppose 
it's possible there is something that is taking action based on usbids data.

In the short term it should probably be disabled or at least prompt the 
user to manually verify a checksum or something. Longer term maybe both 
utils can use a similar solution.

Thanks,

-- 
Matt Taggart
[email protected]

Reply via email to