Public bug reported:
[Freenode #ubuntu-release discussion]
[13:51:02] <slashd> vorlon, I also puzzle what would be the good practice, SRU
an update of pci.ids or leave the user the decision to use update-pciids which
does it automatically
[13:52:13] <infinity> slashd: That second option isn't a great one, for many
reasons.
[13:52:21] <vorlon> slashd: ^^ I concur
[13:52:55] <infinity> slashd: The two that come to mind is (a) it alters a
dpkg-managed file in /usr/share and (b) it's an entirely unchecked random
download over http.
[13:53:17] <infinity> In fact, I'm a bit shocked we even ship that script at
all, or haven't at least neutered it in some way.
[13:54:40] <infinity> That's just begging for an injection attack where
intentionally-corrupted pci.ids data exploits something goofy in a library that
reads it.
[13:55:00] <slashd> infinity, good point
[13:56:05] <infinity> If we were to give that as an option, we'd need to alter
the script (and things that read that data) to use a second user-writable
location in /var, and we'd need upstream to provide a signed/verifiable source
we can pull from.
[13:56:23] <infinity> But I think "stop shipping the script on the PATH" is a
saner plan.
[13:58:26] <infinity> slashd: Maybe get some input from someone like mdeslaur
or sarnold to see if they think I'm being overly paranoid, but I think having a
script on path that downloads random junk over http and slams it in a file in
/usr/share that gets read by dozens of other binaries is pretty sketchy.
[13:58:40] <infinity> slashd: So I'd be +1 on just nuking it.
[13:59:08] <slashd> infinity, ack will try to have a ACK for security team as
well, but sound like a good plan
[13:59:14] <infinity> slashd: Or moving it to /use/share/doc/pciutils/examples
[14:00:23] <slashd> infinity, vorlon ok thanks a lot for your help�
[14:00:28] <mdeslaur> oh ew ew ew ew
[14:01:01] <mdeslaur> yeah, moving it to examples would be a good idea
[14:01:21] <slashd> mdeslaur, ack tks
SRU team: +1
Security team: +1
** Affects: pciutils (Ubuntu)
Importance: Low
Assignee: Eric Desrochers (slashd)
Status: In Progress
** Affects: pciutils (Ubuntu Trusty)
Importance: Undecided
Status: New
** Affects: pciutils (Ubuntu Xenial)
Importance: Undecided
Status: New
** Affects: pciutils (Ubuntu Bionic)
Importance: Undecided
Status: New
** Affects: pciutils (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Changed in: pciutils (Ubuntu)
Assignee: (unassigned) => Eric Desrochers (slashd)
** Changed in: pciutils (Ubuntu)
Importance: Undecided => Low
** Changed in: pciutils (Ubuntu)
Status: New => In Progress
** Also affects: pciutils (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: pciutils (Ubuntu Cosmic)
Importance: Undecided
Status: New
** Also affects: pciutils (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: pciutils (Ubuntu Bionic)
Importance: Undecided
Status: New
** Summary changed:
- drop "update-pciids" for security reasons
+ stop shipping "update-pciids"
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1815237
Title:
stop shipping "update-pciids"
Status in pciutils package in Ubuntu:
In Progress
Status in pciutils source package in Trusty:
New
Status in pciutils source package in Xenial:
New
Status in pciutils source package in Bionic:
New
Status in pciutils source package in Cosmic:
New
Bug description:
[Freenode #ubuntu-release discussion]
[13:51:02] <slashd> vorlon, I also puzzle what would be the good practice,
SRU an update of pci.ids or leave the user the decision to use update-pciids
which does it automatically
[13:52:13] <infinity> slashd: That second option isn't a great one, for many
reasons.
[13:52:21] <vorlon> slashd: ^^ I concur
[13:52:55] <infinity> slashd: The two that come to mind is (a) it alters a
dpkg-managed file in /usr/share and (b) it's an entirely unchecked random
download over http.
[13:53:17] <infinity> In fact, I'm a bit shocked we even ship that script at
all, or haven't at least neutered it in some way.
[13:54:40] <infinity> That's just begging for an injection attack where
intentionally-corrupted pci.ids data exploits something goofy in a library that
reads it.
[13:55:00] <slashd> infinity, good point
[13:56:05] <infinity> If we were to give that as an option, we'd need to
alter the script (and things that read that data) to use a second user-writable
location in /var, and we'd need upstream to provide a signed/verifiable source
we can pull from.
[13:56:23] <infinity> But I think "stop shipping the script on the PATH" is a
saner plan.
[13:58:26] <infinity> slashd: Maybe get some input from someone like mdeslaur
or sarnold to see if they think I'm being overly paranoid, but I think having a
script on path that downloads random junk over http and slams it in a file in
/usr/share that gets read by dozens of other binaries is pretty sketchy.
[13:58:40] <infinity> slashd: So I'd be +1 on just nuking it.
[13:59:08] <slashd> infinity, ack will try to have a ACK for security team as
well, but sound like a good plan
[13:59:14] <infinity> slashd: Or moving it to /use/share/doc/pciutils/examples
[14:00:23] <slashd> infinity, vorlon ok thanks a lot for your help�
[14:00:28] <mdeslaur> oh ew ew ew ew
[14:01:01] <mdeslaur> yeah, moving it to examples would be a good idea
[14:01:21] <slashd> mdeslaur, ack tks
SRU team: +1
Security team: +1
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pciutils/+bug/1815237/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
