Bug#545245: marked as done (no hashsum checks of downloaded content, thus allowing downloading and installation of malicious content)

Wed, 09 Dec 2009 22:41:13 -0800 

Your message dated Thu, 10 Dec 2009 07:32:48 +0100
with message-id <8b2d7b4d0912092232k253422a2s84e12db29a0a2...@mail.gmail.com>
and subject line Package removed from Debian
has caused the Debian Bug report #545245,
regarding no hashsum checks of downloaded content, thus allowing downloading 
and installation of malicious content
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
545245: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545245
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: em8300
Version: 0.16.4-4
Severity: critical
Tags: security

Hi.
I'm currently looking at Debian packages which download and install files from the internet (as their main content) whether they check the validity of these files.
This package does not make any hashsum check (e.g. SHA512, which should probably used) and fail installation if the hashes doesn't match. 
That's why I've marked this bug as security critical.

This is especially important, as this package adds executed contents.

May I suggest the following:
1) Ship SHA512 sums of the downloaded contend with your package (perhaps after you make some (at least rudimentary) checks for malicious contents). 

2) Check whether this matches with the sums of the downloaded files.
3) In case of mismatches, installation should fail, and all already downloaded/installed files should be removed. 


Thanks and best wishes,
Chris.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--- End Message ---
--- Begin Message --- 
Version: 0.16.4-4+rm

Package removed from Debian: http://bugs.debian.org/553690

-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi

--- End Message ---

Reply via email to