steve at stevemurphy
Dec 21, 2004, 3:24 PM
Post #3 of 4
(477 views)
Permalink
|
-On Sun, 2004-12-12 at 13:19 -0500, Dan Margolis wrote:
> Hi Steve,
>
> This vulnerability is already in our bugzilla at
> http://bugs.gentoo.org/show_bug.cgi?id=74008. A fix will be out
> shortly. In the meantime, if you are concerned, there are plenty of
> alternatives to wget (curl, Perl + LWP, etc).
>
Hi, thanks for your speedy reply and good to know you are on the case.
My reply being much tardier, I was really querying whether runing wget
as root during an emerge is safe.
When everything downloaded is signed and we choose to trust a key - how
can we trust the integrity of signatures or those programs used to
validate them when we allow wget to run as root. Wget as root would
allow a hacked mirror or spoofed mirror to exploit any vulnerability in
wget. Should wget run as a restricted user.
Of course, the same argument could be used against validating signatures
- a 'specialaly crafted' signature could be developed to exploit bugs in
that software, so that should also to run as a different user - but
according to the original report wget is a priority case:
http://seclists.org/lists/bugtraq/2004/Dec/0105.html
-> In the current maintainer's own words: ``[T]he code is buggy, poorly
-> commented, very hard to understand, extremely resistant to changes
-> and looks like a bunch of patches put together in a careless way.
Steve (not an expert so happy to be proven wrong).
--
gentoo-security [at] gentoo mailing list
|
