[Secure-testing-team] Bug#804299: smartmontools: update-smart-drivedb downloads unauthenticated data from the web
Christoph Anton Mitterer
calestyo at scientia.net
Sat Nov 7 04:29:05 UTC 2015
Package: smartmontools
Version: 6.3+svn4002-2+b3
Severity: important
Tags: security
Hi.
The update-smart-drivedb downloads unauthenticated data
from the web (drive.h).
Put apart, that the it wouldn't be the first time, that
the corresponding parser has problems which may lead to
exploits, even if it correctly parses everything and just
the right syntax would be accepted, then this could be
still used to cause damage, namely when the respective
SMART command mustn't be used with a specific drive.
(There are apparently some which cause damage.)
I think update-smart-drivedb should be removed alltogether
from Debian, as it circumvents the package management system
and thereby and security support, which is generally bad.
Instead, if there's a new drivedb.h, then a package update
should be made.
But as long as there's no proper authentication (and I'm
not talking about https), this should definitely go away.
Cheers,
Chris.
More information about the Secure-testing-team
mailing list