Package: plowshare Version: 2.1.7-2 Severity: grave Tags: security Justification: user security hole
Hi. The removal of plowshare-modules, which was IMO quite !smart, forces users to use plowmod which is IMO, like basically every code-downloader inherently insecure. 1) There seems to be no verification, whatsoever of the downloaded code apart from using TLS Thus any, out of about 150 of the default CAs (from which many are already known to be rogue CAs that have in the past often forged certs for the totalitarian states where they're based in) plus thousands of intermediate CAs can basically easily create a forged cert for github and then inject code into an attacked system. Such an attack can be targeted upon specific users only (which is not possibly if some code - even if not audited - is taken by Debian and distributed from there... in such a case *all* users would be attacked and an attack is likely to be noticed more easily). Of course the same is possible to github and even the upstream authors. Attacking a single person without ever being noticed because the vast majority gets "good" code. 2) It circumvents the package management system which is generally wrong for many reasons, including e.g. - users won't be notified about security update by regular means (actually by no means at all) - things like debsums break - tools like check_apt for Icinga/etc. will either break or simply not work as intended. code-downloader+installer-tools are typically inherently insecure... even with "proper" OpenPGP signatures and verification it's hard to get it done right and often things like downgrade-attacks are forgotten... and it still leaves the attack window open that an evil (or stolen) upstream key can be used to only selectively attack users which will never be noticed. The only why to get it down right is, if Debian (respecitvely the downloader package) itself contains the signatures/sum (*not* a generally trusted key) and verifies against those... which however defeats the "benefits" of such code downloader programs. Since code-downloader+installer-tools are from a security PoV generall evil they should actually rather be removed from packages, so that users don't actually use them. Cheers, Chris.