Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CANTw=MPhYqnVgYghW2Z4EqOnoYKCJBXaiH+76czz294DAbDVhg@mail.gmail.com>
Date: Thu, 18 Jun 2015 20:19:02 -0400
From: Michael Gilbert <mgilbert@...ian.org>
To: Christoph Anton Mitterer <calestyo@...entia.net>
Cc: 786909@...s.debian.org, oss-security@...ts.openwall.com
Subject: Re: Bug#786909: chromium: unconditionally downloads binary blob

Since this made it to LWN [0] and Y Combinator [1] with an incredible
amount of misinformation, let's attempt a (hopefully) non-hyped
conversation about this, which unfortunately didn't happen a few days
ago.

On Tue, Jun 16, 2015 at 9:15 AM, Christoph Anton Mitterer wrote:
> On Tue, 2015-06-16 at 00:49 -0400, Michael Gilbert wrote:
>> Barring the obtusely incorrect rootkit miscategorization
>
> Well, as I've said,.. no one can really tell what it is, since it's a
> blob,... and even if one would assume that someone could correctly
> reverse engineer it, or reproducibly build it from public sources,
> there's absolutely no guarantee that malicious software might have been
> just distributed to selected people.

Except that the actual contents of the downloaded files in many ways
do not actually matter.  Those files are nacl executables, which are
sandboxed in any nacl-enabled chromium, so barring a sandbox escape
included in the files, this is functionally the same as visiting any
nacl website (less the fact that hotword automatically gets microphone
permission, which itself is worth independent critique).

Additionally, the Debian packages are intentionally built with nacl
disabled (in fact not built at all).  So, at least on Debian, even if
the downloaded files were in fact malicious, without a nacl
interpreter present, there is absolutely no way to trigger the
badness.

>> oss-sec is a
>> far better venue for discussion since Debian is not the only
>> distribution that includes chromium 43 .
>
> I don't see how that would practically ever change something at the
> Debian level; this seems rather like simply pushing away and unpleasant
> issue.

Maybe now it's clear that a meaningful conversation at the time would
have preempted the ensuing misinformation campaign.

> And just because all other distros ship software which injects possibly
> malicious blobs, we don't have to do the same.

I simply do not follow the logic leading to this conclusion.  How does
engaging in discussion lead to any specific problem being ignored
exactly?

Anyway, if some incredibly basic homework had been done, you could
have convinced yourself of the non-issue nature of this problem,
rather than engaging in unfounded speculation.

> Anyway, I haven't said that banning such software from Debian would be
> the only solution... but at least these incidents come far too frequent
> recently, so apparently something needs to be done at Debian level to
> pro-actively prevent future cases/compromises like this.

That is exactly what Debian unstable is for, and in many ways it
worked as intended, except for the special snowflake that is chromium.
Since major chromium versions get uploaded to both unstable and stable
to fix security issues, problems introduced into unstable also
unfortunately get introduced to stable.

> And there's still no single sign of properly visible announcements to
> user what might have happened here. :(

Well, it is out there now [0,1], unfortunately with a huge amount of
misinformation.

Anyway the Debian security tracker is tracking this [2].  As stated
there, it will be fixed along with the next incoming round of chromium
security issues.  It is absolutely not worth fixing on its own.

Best wishes,
Mike

[0] https://lwn.net/Articles/648392
[1] https://news.ycombinator.com/item?id=9724409
[2] https://security-tracker.debian.org/tracker/TEMP-0000000-A21526

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.