group.of.nepali.translators team mailing list archive

[Eric Desrochers <eric.desrochers@xxxxxxxxxxxxx>]

Public bug reported:

[Freenode #ubuntu-release discussion]

[13:51:02] <slashd> vorlon, I also puzzle what would be the good practice, SRU an update of pci.ids or leave the user the decision to use update-pciids which does it automatically
[13:52:13] <infinity> slashd: That second option isn't a great one, for many reasons.
[13:52:21] <vorlon> slashd: ^^ I concur
[13:52:55] <infinity> slashd: The two that come to mind is (a) it alters a dpkg-managed file in /usr/share and (b) it's an entirely unchecked random download over http.
[13:53:17] <infinity> In fact, I'm a bit shocked we even ship that script at all, or haven't at least neutered it in some way.
[13:54:40] <infinity> That's just begging for an injection attack where intentionally-corrupted pci.ids data exploits something goofy in a library that reads it.
[13:55:00] <slashd> infinity, good point
[13:56:05] <infinity> If we were to give that as an option, we'd need to alter the script (and things that read that data) to use a second user-writable location in /var, and we'd need upstream to provide a signed/verifiable source we can pull from.
[13:56:23] <infinity> But I think "stop shipping the script on the PATH" is a saner plan.
[13:58:26] <infinity> slashd: Maybe get some input from someone like mdeslaur or sarnold to see if they think I'm being overly paranoid, but I think having a script on path that downloads random junk over http and slams it in a file in /usr/share that gets read by dozens of other binaries is pretty sketchy.
[13:58:40] <infinity> slashd: So I'd be +1 on just nuking it.
[13:59:08] <slashd> infinity, ack will try to have a ACK for security team as well, but sound like a good plan
[13:59:14] <infinity> slashd: Or moving it to /use/share/doc/pciutils/examples
[14:00:23] <slashd> infinity, vorlon ok thanks a lot for your help
[14:00:28] <mdeslaur> oh ew ew ew ew
[14:01:01] <mdeslaur> yeah, moving it to examples would be a good idea
[14:01:21] <slashd> mdeslaur, ack tks

SRU team: +1
Security team: +1

** Affects: pciutils (Ubuntu)
     Importance: Low
     Assignee: Eric Desrochers (slashd)
         Status: In Progress

** Affects: pciutils (Ubuntu Trusty)
     Importance: Undecided
         Status: New

** Affects: pciutils (Ubuntu Xenial)
     Importance: Undecided
         Status: New

** Affects: pciutils (Ubuntu Bionic)
     Importance: Undecided
         Status: New

** Affects: pciutils (Ubuntu Cosmic)
     Importance: Undecided
         Status: New

** Changed in: pciutils (Ubuntu)
     Assignee: (unassigned) => Eric Desrochers (slashd)

** Changed in: pciutils (Ubuntu)
   Importance: Undecided => Low

** Changed in: pciutils (Ubuntu)
       Status: New => In Progress

** Also affects: pciutils (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: pciutils (Ubuntu Cosmic)
   Importance: Undecided
       Status: New

** Also affects: pciutils (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Also affects: pciutils (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Summary changed:

- drop "update-pciids" for security reasons
+ stop shipping "update-pciids"

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1815237

Title:
  stop shipping "update-pciids"

Status in pciutils package in Ubuntu:
  In Progress
Status in pciutils source package in Trusty:
  New
Status in pciutils source package in Xenial:
  New
Status in pciutils source package in Bionic:
  New
Status in pciutils source package in Cosmic:
  New

Bug description:
  [Freenode #ubuntu-release discussion]

  [13:51:02] <slashd> vorlon, I also puzzle what would be the good practice, SRU an update of pci.ids or leave the user the decision to use update-pciids which does it automatically
  [13:52:13] <infinity> slashd: That second option isn't a great one, for many reasons.
  [13:52:21] <vorlon> slashd: ^^ I concur
  [13:52:55] <infinity> slashd: The two that come to mind is (a) it alters a dpkg-managed file in /usr/share and (b) it's an entirely unchecked random download over http.
  [13:53:17] <infinity> In fact, I'm a bit shocked we even ship that script at all, or haven't at least neutered it in some way.
  [13:54:40] <infinity> That's just begging for an injection attack where intentionally-corrupted pci.ids data exploits something goofy in a library that reads it.
  [13:55:00] <slashd> infinity, good point
  [13:56:05] <infinity> If we were to give that as an option, we'd need to alter the script (and things that read that data) to use a second user-writable location in /var, and we'd need upstream to provide a signed/verifiable source we can pull from.
  [13:56:23] <infinity> But I think "stop shipping the script on the PATH" is a saner plan.
  [13:58:26] <infinity> slashd: Maybe get some input from someone like mdeslaur or sarnold to see if they think I'm being overly paranoid, but I think having a script on path that downloads random junk over http and slams it in a file in /usr/share that gets read by dozens of other binaries is pretty sketchy.
  [13:58:40] <infinity> slashd: So I'd be +1 on just nuking it.
  [13:59:08] <slashd> infinity, ack will try to have a ACK for security team as well, but sound like a good plan
  [13:59:14] <infinity> slashd: Or moving it to /use/share/doc/pciutils/examples
  [14:00:23] <slashd> infinity, vorlon ok thanks a lot for your help
  [14:00:28] <mdeslaur> oh ew ew ew ew
  [14:01:01] <mdeslaur> yeah, moving it to examples would be a good idea
  [14:01:21] <slashd> mdeslaur, ack tks

  SRU team: +1
  Security team: +1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pciutils/+bug/1815237/+subscriptions