oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bug#786909: chromium: unconditionally downloads binary blob

From: Michael Gilbert <mgilbert () debian org>
Date: Tue, 16 Jun 2015 00:49:31 -0400
On Mon, Jun 15, 2015 at 11:16 PM, Christoph Anton Mitterer wrote:

Shouldn't we see a DSA following this incident?

Since no one really know which binaries have been downloaded there and
what they actually do, and since it cannot be excluded that it was
actually executed, such systems are basically to be considered
compromised.

Quite a deal of people choose open source just to prevent that - get
untrustworthy / unverifiable code run on their systems - failed.


And to be quite honest, I seriously consider the good faith of an such
upstream which does these kinds of things and wonder whether it can be
considered trustworthy enough to be part of Debian or whether it should
be banned from it.
More or less silently bundling proprietary code with open source
software (especially but not only when enabled per default) can already
be considered quite bad behaviour.

But basically secretly downloading it leads to the question of possible
malicious intent (and everyone knows that Google&Co. do voluntarily
and/or forcibly cooperate with NSA and friends).
And I guess no one can prove that this blob didn't contain any rootkit,
and even if - the rootkit'ed version may have been just distributed to
certain people.
The downloading makes it more or less impossible for the admin/user and
especially for our maintainers to notice what's happening here
(otherwise they'd need audit every line of code for any such
occasions).


And even if the blob wasn't evil: while I haven't looked at the code, I
wouldn't even be surprised if the downloading itself is done
insecurely.


Worse, chromium isn't the only such rootkit-downloader,... this happens
- to my taste - far to often in recent times,.. e.g. FF which secretly
downloaded the OpenH264 blob.


Barring the obtusely incorrect rootkit miscategorization, oss-sec is a
far better venue for discussion since Debian is not the only
distribution that includes chromium 43 .

Best wishes,
Mike
Previous By Date Next
Previous By Thread Next

Current thread: