Your message dated Sun, 06 Sep 2009 01:32:38 +0100
with message-id <1252197158.3494.22.ca...@localhost>
and subject line Re: Bug#545246: no hashsum checks of downloaded content, thus
allowing downloading and installation of malicious content
has caused the Debian Bug report #545246,
regarding no hashsum checks of downloaded content, thus allowing downloading
and installation of malicious content
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
545246: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545246
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: rt73-common
Version: 1:1.0.3.6-cvs20090424-dfsg1-1
Severity: critical
Tags: security
Hi.
I'm currently looking at Debian packages which download and install
files from the internet (as their main content) whether they check the
validity of these files.
This package does not make any hashsum check (e.g. SHA512, which
should probably used) and fail installation if the hashes doesn't match.
That's why I've marked this bug as security critical.
This is especially important, as this package adds executed contents,
at least if the user invokes update-rt73-firmware.
May I suggest the following:
1) Ship SHA512 sums of the downloaded contend with your package
(perhaps after you make some (at least rudimentary) checks for
malicious contents).
2) Check whether this matches with the sums of the downloaded files.
3) In case of mismatches, installation should fail, and all already
downloaded/installed files should be removed.
Thanks and best wishes,
Chris.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
--- End Message ---
--- Begin Message ---
On Sun, 2009-09-06 at 00:57 +0200, Christoph Anton Mitterer wrote:
> Package: rt73-common
> Version: 1:1.0.3.6-cvs20090424-dfsg1-1
> Severity: critical
> Tags: security
>
> Hi.
>
> I'm currently looking at Debian packages which download and install
> files from the internet (as their main content) whether they check the
> validity of these files.
>
> This package does not make any hashsum check (e.g. SHA512, which
> should probably used) and fail installation if the hashes doesn't match.
> That's why I've marked this bug as security critical.
>
> This is especially important, as this package adds executed contents,
> at least if the user invokes update-rt73-firmware.
>
> May I suggest the following:
> 1) Ship SHA512 sums of the downloaded contend with your package
> (perhaps after you make some (at least rudimentary) checks for
> malicious contents).
>
> 2) Check whether this matches with the sums of the downloaded files.
>
> 3) In case of mismatches, installation should fail, and all already
> downloaded/installed files should be removed.
There is already a packaged version of the rt73 firmware in
firmware-ralink. update-rt73-firmware provides a convenient way to
download and install a newer, unpackaged version. Unfortunately there
is no way to verify an arbitrary new version of the firmware.
Ben.
--
Ben Hutchings
Power corrupts. Absolute power is kind of neat.
- John Lehman, Secretary of the US Navy 1981-1987
signature.asc
Description: This is a digitally signed message part
--- End Message ---
