On Wed, Dec 12, 2012 at 05:52:31PM +0000, adrelanos wrote: > Since get-upstream-version.pl runs as root it can do anything. > > I don't accuse him personally for anything. But should he ever be > compromised (forced, evil maid, etc...) it's very easy to mount a > stealth attack.
I would worry more about the Adobe's web site getting compromised. The get-upstream-version.pl script fetches the link to the Flash player from www.adobe.com and then the download page: open INPUT, "wget --user-agent=\"$user_agent\" -qO - $url |" or die; It runs wget using the shell and there is basically no validation for what $url contains. Even if taint mode was used, this would untaint the value no matter what it happens to contain: $page =~ m,<a href="([^"]+)">Adobe Flash Player</a>,s or die "link to Adobe Flash Player not found on $url"; my $link_to_flash = $1; What would happen if the link happened to contain "; some nasty command"? Given Adobe's security track record with their software products, I would not trust their web site too much. In fact, I would not like to run that kind of script against any normal corporate web site, especially non-https one! -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121212191044.gd29...@seestieto.com