Package: plowshare
Version: 2.1.7-2
Severity: grave
Tags: security
Justification: user security hole
Hi.
The removal of plowshare-modules, which was IMO quite !smart, forces
users to use plowmod which is IMO, like basically every code-downloader
inherently insecure.
1) There seems to be no verification, whatsoever of the downloaded code
apart from using TLS
Thus any, out of about 150 of the default CAs (from which many are
already known to be rogue CAs that have in the past often forged
certs for the totalitarian states where they're based in) plus
thousands of intermediate CAs can basically easily create a forged
cert for github and then inject code into an attacked system.
Such an attack can be targeted upon specific users only (which is
not possibly if some code - even if not audited - is taken by Debian
and distributed from there... in such a case *all* users would be
attacked and an attack is likely to be noticed more easily).
Of course the same is possible to github and even the upstream authors.
Attacking a single person without ever being noticed because the
vast majority gets "good" code.
2) It circumvents the package management system which is generally wrong
for many reasons, including e.g.
- users won't be notified about security update by regular means
(actually by no means at all)
- things like debsums break
- tools like check_apt for Icinga/etc. will either break or simply not
work as intended.
code-downloader+installer-tools are typically inherently insecure... even
with "proper" OpenPGP signatures and verification it's hard to get it done
right and often things like downgrade-attacks are forgotten... and it still
leaves the attack window open that an evil (or stolen) upstream key can
be used to only selectively attack users which will never be noticed.
The only why to get it down right is, if Debian (respecitvely the downloader
package) itself contains the signatures/sum (*not* a generally trusted key)
and verifies against those... which however defeats the "benefits" of such
code downloader programs.
Since code-downloader+installer-tools are from a security PoV generall evil
they should actually rather be removed from packages, so that users don't
actually use them.
Cheers,
Chris.
