On Wed, Dec 12, 2012 at 05:52:31PM +0000, adrelanos wrote:
> Hi,
>
> I do not want to discuss security implications of the upstream closed
> source Adobe Flash plugin. This is about how the Flash plugin is
> downloaded and installed in Debian.
>
> /usr/sbin/update-flashplugin-nonfree downloads get-upstream-version.pl
> http://people.debian.org/~bartm/flashplugin-nonfree/get-upstream-version.pl.gz.pgp
> stores it in /tmp/xxx, runs it and deletes /tmp/xxx.
It should at least use a non-predictable tempfile (using tempfile(1) )
Please file bug for that.
> Since get-upstream-version.pl runs as root it can do anything.
>
> I don't accuse him personally for anything. But should he ever be
> compromised (forced, evil maid, etc...) it's very easy to mount a
> stealth attack.
>
> Also reviewing get-upstream-version.pl is cumbersome, you either have to
> be fast enough to catch it in /tmp/xxx or to download and decrypt it
> manually using his gpg key.
>
> So far it looks clean. But that's not best security practice?
>
> What is Debian policy on code execution from user websites?
There are a few downloaders like this in contrib/non-free.
This is one of the better ones; after all you need to trust
every DD not to muck with your systems (postinst scripts run as root, e.g.)
Plus, installing Flash opens the Pandora's box anyway
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]
