Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 16 Jun 2015 00:49:31 -0400
From: Michael Gilbert <mgilbert@...ian.org>
To: Christoph Anton Mitterer <calestyo@...entia.net>, 786909@...s.debian.org
Cc: oss-security@...ts.openwall.com
Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

On Mon, Jun 15, 2015 at 11:16 PM, Christoph Anton Mitterer wrote:
> Shouldn't we see a DSA following this incident?
>
> Since no one really know which binaries have been downloaded there and
> what they actually do, and since it cannot be excluded that it was
> actually executed, such systems are basically to be considered
> compromised.
>
> Quite a deal of people choose open source just to prevent that - get
> untrustworthy / unverifiable code run on their systems - failed.
>
>
> And to be quite honest, I seriously consider the good faith of an such
> upstream which does these kinds of things and wonder whether it can be
> considered trustworthy enough to be part of Debian or whether it should
> be banned from it.
> More or less silently bundling proprietary code with open source
> software (especially but not only when enabled per default) can already
> be considered quite bad behaviour.
>
> But basically secretly downloading it leads to the question of possible
> malicious intent (and everyone knows that Google&Co. do voluntarily
> and/or forcibly cooperate with NSA and friends).
> And I guess no one can prove that this blob didn't contain any rootkit,
> and even if - the rootkit'ed version may have been just distributed to
> certain people.
> The downloading makes it more or less impossible for the admin/user and
> especially for our maintainers to notice what's happening here
> (otherwise they'd need audit every line of code for any such
> occasions).
>
>
> And even if the blob wasn't evil: while I haven't looked at the code, I
> wouldn't even be surprised if the downloading itself is done
> insecurely.
>
>
> Worse, chromium isn't the only such rootkit-downloader,... this happens
> - to my taste - far to often in recent times,.. e.g. FF which secretly
> downloaded the OpenH264 blob.

Barring the obtusely incorrect rootkit miscategorization, oss-sec is a
far better venue for discussion since Debian is not the only
distribution that includes chromium 43 .

Best wishes,
Mike

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ