Package: usbutils Version: 1:007-4 Severity: important Debian bugs #804299 and #805328 made me realize that update-usbids also has the same problem of downloading unauthenticated data from the web and then parsing it, potentially being open to potential exploits in the parser. The risk is probably less than update-smart-drivedb, which might potentially take action based on the data that could result in drive damage, I suppose it's possible there is something that is taking action based on usbids data.
In the short term it should probably be disabled or at least prompt the user to manually verify a checksum or something. Longer term maybe both utils can use a similar solution. Thanks, -- Matt Taggart [email protected]

