Package: smartmontools Version: 6.3+svn4002-2+b3 Severity: important Tags: security
Hi. The update-smart-drivedb downloads unauthenticated data from the web (drive.h). Put apart, that the it wouldn't be the first time, that the corresponding parser has problems which may lead to exploits, even if it correctly parses everything and just the right syntax would be accepted, then this could be still used to cause damage, namely when the respective SMART command mustn't be used with a specific drive. (There are apparently some which cause damage.) I think update-smart-drivedb should be removed alltogether from Debian, as it circumvents the package management system and thereby and security support, which is generally bad. Instead, if there's a new drivedb.h, then a package update should be made. But as long as there's no proper authentication (and I'm not talking about https), this should definitely go away. Cheers, Chris. _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team