[Pkg-net-snmp-devel] Bug#559997: libsnmp-base: Makefile.mib should provide stronger integrity checks for downloaded material
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Dec 8 06:01:09 UTC 2009
Package: libsnmp-base
Version: 5.4.2.1~dfsg-3
Severity: wishlist
Makefile.mib fetches a lot of data from the network that isn't
DFSG-redistributable. But then that data then appears to be
relied-upon by other parts of the SNMP infrastructure. It would be
good to ensure that the data fetched from the network actually matches
the content we expect it to be.
While the data itself may not be redistributable within debian's
guidelines, I don't think there would be anything wrong with shipping
a cryptographic checksum (an SHA-256 sum, for example) of each piece
of data we expect to fetch, and avoid installing the material if the
fetched/transformed data doesn't match the expected checksum.
Without such an integrity check, it seems like this package
potentially opens a computer to some form of abuse by an attacker with
control over the network.
Of course, such a scheme wouldn't work if the data being fetched is
volatile. But is it? I don't know enough about SNMP and MIBs to
answer.
Thanks for maintaining SNMP in debian!
Regards,
--dkg
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.31-1-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libsnmp-base depends on:
ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy
ii gawk 1:3.1.6.dfsg-4 GNU awk, a pattern scanning and pr
ii make 3.81-7 An utility for Directing compilati
ii wget 1.12-1.1 retrieves files from the web
libsnmp-base recommends no packages.
libsnmp-base suggests no packages.
-- debconf information:
* libsnmp-base/download_mibs: false
More information about the Pkg-net-snmp-devel
mailing list