Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 16 Jun 2015 00:49:31 -0400
From: Michael Gilbert <mgilbert@...ian.org>
To: Christoph Anton Mitterer <calestyo@...entia.net>, 786909@...s.debian.org
Cc: oss-security@...ts.openwall.com
Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

On Mon, Jun 15, 2015 at 11:16 PM, Christoph Anton Mitterer wrote:
> Shouldn't we see a DSA following this incident?
>
> Since no one really know which binaries have been downloaded there and
> what they actually do, and since it cannot be excluded that it was
> actually executed, such systems are basically to be considered
> compromised.
>
> Quite a deal of people choose open source just to prevent that - get
> untrustworthy / unverifiable code run on their systems - failed.
>
>
> And to be quite honest, I seriously consider the good faith of an such
> upstream which does these kinds of things and wonder whether it can be
> considered trustworthy enough to be part of Debian or whether it should
> be banned from it.
> More or less silently bundling proprietary code with open source
> software (especially but not only when enabled per default) can already
> be considered quite bad behaviour.
>
> But basically secretly downloading it leads to the question of possible
> malicious intent (and everyone knows that Google&Co. do voluntarily
> and/or forcibly cooperate with NSA and friends).
> And I guess no one can prove that this blob didn't contain any rootkit,
> and even if - the rootkit'ed version may have been just distributed to
> certain people.
> The downloading makes it more or less impossible for the admin/user and
> especially for our maintainers to notice what's happening here
> (otherwise they'd need audit every line of code for any such
> occasions).
>
>
> And even if the blob wasn't evil: while I haven't looked at the code, I
> wouldn't even be surprised if the downloading itself is done
> insecurely.
>
>
> Worse, chromium isn't the only such rootkit-downloader,... this happens
> - to my taste - far to often in recent times,.. e.g. FF which secretly
> downloaded the OpenH264 blob.

Barring the obtusely incorrect rootkit miscategorization, oss-sec is a
far better venue for discussion since Debian is not the only
distribution that includes chromium 43 .

Best wishes,
Mike

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.