Package: smartmontools Version: 7.4-1 Severity: grave Tags: security Justification: user security hole X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Hey. The most recent upgrade forces people to use update-smart-drivedb by doing it already in the postinst and not leaving it up to the user whether he wants to use such a tool. Security-wise this is really a bad idea. Downloader packages (i.e. packages that install further code from outside Debian) - and this effectively just that - are generally questionable. Even if the downloader tool does everything right (which is actually quite difficult if one assumes things like replay or blocking attacks), there's still code introduced which is not in the control of Debian and especially also outside security support. Now you may argue that Debian doesn't audit the drivedb.h it ships either and that thus security wouldn't be any better if Debian would just ship the upstream file. But there's still a difference: If Debian ships the package, then all installations are guaranteed to get the same file. So an attacker would need to attack all installation at the same time and thus be far more likely to be detected. If however the package is downloaded from some remote server, an attacker can choose based on IP whether the "good" or the "evil" file is delivered. And this is not to say that I'd assume smartmontools upstream would be evil. But even their GPG keys or systemd can be compromised. The package already has the update-smart-drivedb tool, if people are confident with using it, they can do so. But please don't force it on everyone by unconditionally calling it from postinst (or from anywhere else). Cheers, Chris.
