Bug#656388: tucan: insecure update mechanism

[Jonathan Wiltshire]

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target stable

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track the progress of this request.

For details of this process and the rationale, please see the original
announcement [1] and my blog post [2].

0: debian-rele...@lists.debian.org
1: 201101232332.11736.th...@debian.org
2: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#656388: tucan

[Henri Salo]

CVE-2012-0063 is assigned to this case.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#656388: tucan: insecure update mechanism

[A. N. Other]

Package: tucan
Version: 0.3.9-1
Severity: grave
Tags: security
Justification: user security hole

Tucan comes with plugins to handle downloads from the various
download sites it supports. These plugins are basically python modules
which run with the same permissions as the user running tucan. The
tucan package comes with a set of such plugins in
/usr/share/default_plugins/, but it downloads updates of these plugins
via http/https and places them in ~/.tucan/plugins/. This means that
after an update, debian-packaged code is effectively replaced by code
directly from the upstream repository. This in itself is problematic,
but because the update mechanism is implemented in an insecure
fashion, a remote attacker could use it introduce a malicious plugin
which executes arbitrary code with the permissions of the user running
tucan.

The plugins tucan downloads are unsigned, so a remote attacker could
introduce a plugin containing malicious code either by compromising
the remote sites where the plugins are stored, or by means of a
man-in-the-middle attack on the http/https connection from tucan to
the site holding the updates (tucan doesn't seem to check the server
certificate on SSL connections). Tools for automating this kind of
exploit exist, e.g. https://code.google.com/p/ippon-mitm/

The best way to address this problem is probably to disable the update
mechanism entirely in the debian package, and distribute updated
plugin files via apt. (Upstream might want to look into signing their updates,
and possibly making changes to the program's design so that the plugins
run in some kind of sandbox rather than with full user permissions.)



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org