-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom Feiner schrieb:
> Package: libgeoip1
> Version: 1.4.6.dfsg-12
> Severity: normal
>
> Hi,
>
> The example GeoIP database update scripts, located at
> /usr/share/doc/libgeoip1/examples/*.sh update the binary GeoIP databases
> from a potentially unsafe source, without validating the downloaded
> content, making it vulnerable at least to DNS spoofing, and probably
> some more related attacks.
>
> I marked this bug as normal, as the default behavior of the package is
> not to use these scripts, but the fact that they exist in the package
> will cause people to use them and thus weaken the security of their
> machines.
>
> See related bug in another package that also downloads content from the
> internet: http://bugs.debian.org/545241
>
> As GeoIP is an important service, maybe we we should offer debian built
> updates, which are built from source, just like the GeoIP.dat that is
> provided with the package upon installation, or maybe find some other
> secure solution.
Hello,
I realy do not understand how checksums will help here.
Case 1:
Attacker injects DNS, the script will download the database AND the
checksums from the insecure location and the attacker isn't so stupid
and also corrects the checksums to match with his mal. geoip database.
Case 2:
Your secure location gets hacked.
Case 3:
Your location does nothave to be secure, just the nameserver of the
victim uses.
So I don't think that there is a good solution for it, or is there?
- --
/*
Mit freundlichem Gruß / With kind regards,
Patrick Matthäi
GNU/Linux Debian Developer
E-Mail: pmatth...@debian.org
patr...@linux-dev.org
Comment:
Always if we think we are right,
we were maybe wrong.
*/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkqxFUAACgkQ2XA5inpabMe1lgCdFShCduTlMhCFe1n0f3KxMisz
tx8AoKaifoSNrRCjnB8UcPpM3OIH7Qtx
=4j0t
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
