oss-sec mailing list archives
Re: Bug#786909: chromium: unconditionally downloads binary blob
From: Michael Gilbert <mgilbert () debian org>
Date: Tue, 16 Jun 2015 00:49:31 -0400
On Mon, Jun 15, 2015 at 11:16 PM, Christoph Anton Mitterer wrote:
Shouldn't we see a DSA following this incident? Since no one really know which binaries have been downloaded there and what they actually do, and since it cannot be excluded that it was actually executed, such systems are basically to be considered compromised. Quite a deal of people choose open source just to prevent that - get untrustworthy / unverifiable code run on their systems - failed. And to be quite honest, I seriously consider the good faith of an such upstream which does these kinds of things and wonder whether it can be considered trustworthy enough to be part of Debian or whether it should be banned from it. More or less silently bundling proprietary code with open source software (especially but not only when enabled per default) can already be considered quite bad behaviour. But basically secretly downloading it leads to the question of possible malicious intent (and everyone knows that Google&Co. do voluntarily and/or forcibly cooperate with NSA and friends). And I guess no one can prove that this blob didn't contain any rootkit, and even if - the rootkit'ed version may have been just distributed to certain people. The downloading makes it more or less impossible for the admin/user and especially for our maintainers to notice what's happening here (otherwise they'd need audit every line of code for any such occasions). And even if the blob wasn't evil: while I haven't looked at the code, I wouldn't even be surprised if the downloading itself is done insecurely. Worse, chromium isn't the only such rootkit-downloader,... this happens - to my taste - far to often in recent times,.. e.g. FF which secretly downloaded the OpenH264 blob.
Barring the obtusely incorrect rootkit miscategorization, oss-sec is a far better venue for discussion since Debian is not the only distribution that includes chromium 43 . Best wishes, Mike
Current thread:
- Re: Bug#786909: chromium: unconditionally downloads binary blob Michael Gilbert (Jun 15)
- Message not available
- Re: Bug#786909: chromium: unconditionally downloads binary blob Michael Gilbert (Jun 18)
- Re: Bug#786909: chromium: unconditionally downloads binary blob Christoph Anton Mitterer (Jun 18)
- Re: Bug#786909: chromium: unconditionally downloads binary blob Michael Gilbert (Jun 18)
- Message not available