Package: sdic-gene95
Version: 2.1.3-22
Severity: important
User: debian...@lists.debian.org
Usertags: piuparts
Hi,
during a test with piuparts I noticed your package failed to install if
the only internet connectivity available is a proxy set via environment
variables {http,https,ftp}_proxy.
The postinst checks
nc -w 3 -z www.namazu.org 80
(ignoring any proxy settings) before downloading the file with wget
(which would honour the proxy settings).
This seems to be the only package doing it this way.
And while we are at it:
* there is no validation of the downloaded file (e.g. comparison with a
known sha512 sum)
* the default download location is /tmp which is writable by everyone,
so everyone can place files with names expected by the postinst script
there. It does not look like these will be used, but their presence
will at least break package installation. And there may be a possibility
for symlink attacks and race conditions.
cheers,
Andreas
