Date: Thu, 18 Jun 2015 20:19:02 -0400 From: Michael Gilbert <mgilbert@...ian.org> To: Christoph Anton Mitterer <calestyo@...entia.net> Cc: 786909@...s.debian.org, oss-security@...ts.openwall.com Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob Since this made it to LWN  and Y Combinator  with an incredible amount of misinformation, let's attempt a (hopefully) non-hyped conversation about this, which unfortunately didn't happen a few days ago. On Tue, Jun 16, 2015 at 9:15 AM, Christoph Anton Mitterer wrote: > On Tue, 2015-06-16 at 00:49 -0400, Michael Gilbert wrote: >> Barring the obtusely incorrect rootkit miscategorization > > Well, as I've said,.. no one can really tell what it is, since it's a > blob,... and even if one would assume that someone could correctly > reverse engineer it, or reproducibly build it from public sources, > there's absolutely no guarantee that malicious software might have been > just distributed to selected people. Except that the actual contents of the downloaded files in many ways do not actually matter. Those files are nacl executables, which are sandboxed in any nacl-enabled chromium, so barring a sandbox escape included in the files, this is functionally the same as visiting any nacl website (less the fact that hotword automatically gets microphone permission, which itself is worth independent critique). Additionally, the Debian packages are intentionally built with nacl disabled (in fact not built at all). So, at least on Debian, even if the downloaded files were in fact malicious, without a nacl interpreter present, there is absolutely no way to trigger the badness. >> oss-sec is a >> far better venue for discussion since Debian is not the only >> distribution that includes chromium 43 . > > I don't see how that would practically ever change something at the > Debian level; this seems rather like simply pushing away and unpleasant > issue. Maybe now it's clear that a meaningful conversation at the time would have preempted the ensuing misinformation campaign. > And just because all other distros ship software which injects possibly > malicious blobs, we don't have to do the same. I simply do not follow the logic leading to this conclusion. How does engaging in discussion lead to any specific problem being ignored exactly? Anyway, if some incredibly basic homework had been done, you could have convinced yourself of the non-issue nature of this problem, rather than engaging in unfounded speculation. > Anyway, I haven't said that banning such software from Debian would be > the only solution... but at least these incidents come far too frequent > recently, so apparently something needs to be done at Debian level to > pro-actively prevent future cases/compromises like this. That is exactly what Debian unstable is for, and in many ways it worked as intended, except for the special snowflake that is chromium. Since major chromium versions get uploaded to both unstable and stable to fix security issues, problems introduced into unstable also unfortunately get introduced to stable. > And there's still no single sign of properly visible announcements to > user what might have happened here. :( Well, it is out there now [0,1], unfortunately with a huge amount of misinformation. Anyway the Debian security tracker is tracking this . As stated there, it will be fixed along with the next incoming round of chromium security issues. It is absolutely not worth fixing on its own. Best wishes, Mike  https://lwn.net/Articles/648392  https://news.ycombinator.com/item?id=9724409  https://security-tracker.debian.org/tracker/TEMP-0000000-A21526
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.