Control: tag -1 + upstream confirmed Hi,
Iustin Pop is working on this, and finding a solution together with upstream: https://github.com/ndmitchell/hoogle/issues/76 Greetings, Joachim Am Montag, den 28.07.2014, 23:02 +0200 schrieb Evgeny Kapun: > Package: hoogle > Version: 4.2.33-1+b1 > Severity: critical > Tags: security > > During configuration, hoogle postinst script attempts to download a file from > the URL <http://hackage.haskell.org/packages/hoogle.tar.gz> and subsequently > unpack it. Moreover, the integrity of this file is not verified. > > This leads to the following possible attacks: > * An attacker controlling the user's network connection may indefinitely > delay the configuration of hoogle package by supplying data at a very low > rate, even if package files themselves are available from local source. > * The same attacker may supply bogus data instead of the file. This may not > only lead to hoogle behaving in an erroneous manner, but may also lead to a > full system compromise. For example, the archive may contain a malicious > executable file marked SUID root, and local unprivileged user (who also > participates in the attack) may run this file after it is extracted. The > archive may also contain symlinks and device nodes, which can also be used > for attack. > * The same attacker may supply a very large file, filling the system > partition and achieving denial of service. He may also supply a small file > which becomes very large after un-gzipping. > > My suggestion is that downloading files in a secure manner is hard, and > maintainer scripts probably shouldn't be doing it. > > _______________________________________________ > Pkg-haskell-maintainers mailing list > pkg-haskell-maintain...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-haskell-maintainers > -- Joachim "nomeata" Breitner Debian Developer nome...@debian.org | ICQ# 74513189 | GPG-Keyid: F0FBF51F JID: nome...@joachim-breitner.de | http://people.debian.org/~nomeata
signature.asc
Description: This is a digitally signed message part