Re: How to securely verify that package-installed files match originals?

2021-01-14 Thread Georgi Guninski 
On Thu, Jan 14, 2021 at 12:57 PM Erik Poupaert  wrote:
>

> So, I mount the disk of this computer as folder /mnt/audit in my second 
> computer, which I still trust. Now, I want to audit the installation foot 
> print of dpkg in /mnt/audit from this second computer.
>
As pointed by others, integrity of checksums doesn't guarantee lack of
backdoor, since the backdoor can be in other places, not seen by
mount(8).

Merry Christmas and please fix the bugs in 2021!

2020-12-24 Thread Georgi Guninski 
Merry Christmas and all the best in 2021!
Please fix the chromium and other vulnerabilities in 2021.

Re: fun with mailinglists (was Re: Is chromium updated?)

2020-11-13 Thread Georgi Guninski 
On Fri, Nov 13, 2020 at 12:27 PM John Runyon  wrote:
>
> Imagine calling yourself a “Debian contributor” because you... reported a few 
> bugs? Guess I’m a Debian contributor too.
>
I was wrong about being _contributor_, sorry (misunderstood
the definition).

Re: Is chromium updated?

2020-11-13 Thread Georgi Guninski 
On Fri, Nov 13, 2020 at 10:21 AM Pavlos Ponos  wrote:
> BUT we should not forget to say a THANK YOU to these guys which give their 
> best in order all of us to use this OS for free ;-)

I believe I am debian contributor too, search in google for:
"georgi guninski" site:debian.org

Definitely won't say "thank you" to some entity which gives
me long unpatched important component like a web browser.

It is like saying "thank you" to someone who gives
you free licensed Windows XP, lol.

Re: Is chromium updated?

2020-11-12 Thread Georgi Guninski 
So debian are distributing vulnerable Chromium since nearly
a month? There is exploit (not sure about which OSes) in the
wild.

Debian are not commenting on this on this mailing list.

Right?

Re: /home/loser is with permissions 755, default umask 0022

2020-11-12 Thread Georgi Guninski 
Some more exploit vectors from the FD list:
https://seclists.org/fulldisclosure/2020/Nov/13

Partial results:

1. mutt (text email client) exposes ~/.mutt/muttrc,
which might contain the imap password in plaintext.

2. Some time ago on a multiuser debian mirror we found a lot of data,
including the wordpress password of the admin.

3. Anything created by EDITOR NEWFILE is readable, unless the directory
prevents. This include root doing EDITOR /etc/NEWFILE

Re: Is chromium updated?

2020-11-11 Thread Georgi Guninski 
On Wed, Nov 11, 2020 at 9:46 PM  wrote:
>

> Regarding CVE-2020-16009 , it 
> seems that some distros like Arch [1] have already updated their chromium 
> packages but no Debian yet. Right?
>

Right.

> Is it just a matter of extracting the security fix from 86.0.4240.183, 
> packaging it accordingly and pushing in a new version in Debian repositories?
>

There are more than one vulnerabilities to fix.

I have about 10 years experience consulting Mozilla for
their browsers and I recommend Debian to update to
the closest to Chromium stable. Definitely not all security
bugs get CVE and some CVEs are "multiple vulnerabilities in X".

Re: Is chromium updated?

2020-11-11 Thread Georgi Guninski 
On Thu, Nov 12, 2020 at 2:15 AM Lou Poppler  wrote:
>
> You can follow debian's progress on this here:
>
> https://security-tracker.debian.org/tracker/CVE-2020-16009
>

Hi, thanks for the link.
I think your advice is incomplete and we should monitor
the union of all vulnerabilities and CVEs, not just one. There was similar
link in this thread, check it.

Re: Is chromium updated?

2020-11-11 Thread Georgi Guninski 
On Mon, Nov 9, 2020 at 6:31 PM Georgi Naplatanov  wrote:
> Chromium project doesn't provide
> binaries for any OS.
>

Aren't these trustworthy daily builds?:

https://download-chromium.appspot.com/

FYI: Ransomware trojan targets gnu/linux

2020-11-10 Thread Georgi Guninski 
https://www.theregister.com/2020/11/09/linux_ransomware_kaspersky/
RansomEXX trojan variant is being deployed against Linux systems,
warns Kaspersky, Mon 9 Nov 2020

Comments:

gnu/linux has enough userbase to be targeted by malware.
probably it will work in the cloud too.

consider contracting me for gnu/linux security:
CV:  https://j.ludost.net/resumegg.pdf

Re: Is chromium updated?

2020-11-08 Thread Georgi Guninski 
https://www.theregister.com/2020/11/04/google_chrome_critical_updates/

Wed 4 Nov 2020
If you're an update laggard, buck up: Chrome zero-days are being
exploited in the wild

Desktop and Android versions both at risk

On Sat, Oct 17, 2020 at 9:31 PM  wrote:
>
> Hi,
>
> 17 oct. 2020 à 14:28 de ggunin...@gmail.com:
>
> > On Debian stable, I have chromium Version: 83.0.4103.116-1~deb10u3
> >
> > >From Arch advisory on 2020-10-10:
> > The package chromium before version 86.0.4240.75-1 is vulnerable to
> > multiple issues including arbitrary code execution, access restriction
> > bypass, information disclosure and insufficient validation.
> > https://lists.archlinux.org/pipermail/arch-security/2020-October/001608.html
> >
> > Is Debian's chromium vulnerable now?
> >
> I would say yes for the time being indeed: 
> https://security-tracker.debian.org/tracker/source-package/chromium
> See "vulnerable" in 2nd column for CVE-2020-15967 to CVE-2020-15992 + 
> CVE-2020-6557
>
> Best regards,
> l0f4r0
>

Is chromium updated?

2020-10-17 Thread Georgi Guninski 
On Debian stable, I have chromium Version: 83.0.4103.116-1~deb10u3

>From Arch advisory on 2020-10-10:
The package chromium before version 86.0.4240.75-1 is vulnerable to
multiple issues including arbitrary code execution, access restriction
bypass, information disclosure and insufficient validation.
https://lists.archlinux.org/pipermail/arch-security/2020-October/001608.html

Is Debian's chromium vulnerable now?

/home/loser is with permissions 755, default umask 0022

2020-10-07 Thread Georgi Guninski 
/home/loser is with permissions 755, default umask 0022

on multiuser machines this sucks much.

on a multiuser debian mirror we found a lot of data,
including the wordpress password of the admin.

Some potential security bugs in djbdns 1.05

2020-06-04 Thread Georgi Guninski 
Some potential security bugs in djbdns 1.05, we didn't test them
on hardware.

djbdns [1] is an "ancient" dns server.

It still have $1K bounty for an exploit [2].

Are these bugs vulnerabilities?

in cdb_make.c:
cdb_make_finish:

   100  memsize += c->numentries; /* no overflow possible up to now */
   101  u = (uint32) 0 - (uint32) 1;
   102  u /= sizeof(struct cdb_hp);
   103  if (memsize > u) { errno = error_nomem; return -1; }
   104
   105  c->split = (struct cdb_hp *) alloc(memsize * sizeof(struct cdb_hp));
   106  if (!c->split) return -1;
   107
   108  c->hash = c->split + c->numentries;
   109
   110  u = 0;
   111  for (i = 0;i < 256;++i) {
   112u += c->count[i]; /* bounded by numentries, so no overflow */
   113c->start[i] = u;
   114  }

Issue 1:  On line 105 alloc(-SMALL) overflows alloc() despite the check for
overflow on 103, e.g.
   memsize= ((unsigned int) -1 )/sizeof(struct cdb_hp))

In alloc.c:
/*@null@*//*@out@*/char *alloc(n)
unsigned int n;
{
  char *x;
[A]  n = ALIGNMENT + n - (n & (ALIGNMENT - 1)); /* XXX: could overflow */
  if (n <= avail) { avail -= n; return space + avail; }

[A] overflows at least for -16 <= n <= -1.

This integer overflow might be mitigated by memory limits.

In query.c:

Issue 2:  There are several usages:
   uint16_unpack_big(header + 8,);
   pos += datalen;

There appears no check if datalen doesn't overflow the buffer,
leading past the end.

[1] https://cr.yp.to/djbdns.html
[2] https://cr.yp.to/djbdns/guarantee.html

Mitigating malicious packages in gnu/linux

2019-11-19 Thread Georgi Guninski 
As end user and contributor of gnu/linux, I am concerned about malicious
packages (either hostile developers or hacked developers or another reason)
and have two questions:

* What do linux vendors to avoid malicious packages?

* As end user what can I do to mitigate malicious packages?

Some thoughts and rants:

1. This already happened in 2003 with the micq package in debian:  unnoticed
easter egg causing DOS, see [1].

2. This already happened to Redhat in 2008? see [5], Red Hat OpenSSH Backdoor
Vulnerability

3. In 2015 Microsoft issued weird update, see [6],[7].

4. Portable malware in portable languages (Java, Javascript), taking the
worst from windoze.

5. Google play. Google play has about 2.8M packages [2] for android. Debian
has about 31K packages [3] XXXold_stat. To our surprise google play is only
about 90 times bigger than debian per number of packages and the metrics
is unclear for size of binary packages or lines of code. Google scans for
malware, not sure how effective is this.Google's permissions of applications
are mitigating factor.

6. The art of backdooring: sufficiently sophisticated backdoor is
indistinguishable from secure code, see Obfuscation contest [4].

7. Getting root vs reading $HOME vs euid == DAEMON. Getting root is important,
but there is more interesting in user's $HOME.

[1](https://lists.debian.org/debian-devel/2003/02/msg00771.html)
[2](https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/)
[3](https://sources.debian.org/stats/)
[4](https://ioccc.org/)
[5](https://www.securityfocus.com/bid/30794/info)
[6](https://j.ludost.net/blog/archives/2015/10/03/cheers_windows_admins_did_the_weird_garbled_windows_7_update_contains_message_to_microsoft/index.html)
[7](https://j.ludost.net/blog/archives/2015/10/02/cheers_windows_admins_weird_garbled_windows_7_update/index.html)

-- 
CV:https://j.ludost.net/resumegg.pdf
site:  http://www.guninski.com
blog:  https://j.ludost.net/blog

Does net install cryptographically verify downloaded data?

2018-07-05 Thread Georgi Guninski 
Does net install cryptographically verify downloaded data?

Searching the iso for gpg/keyrings didn't return any results for me.