lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Oct 2018 11:46:55 -0400 From: Michael Lazin <microlaser@...il.com> Cc: fulldisclosure@...lists.org Subject: Re: [FD] Skype Debian package: allows complete machine takeover for Microsoft While things like this have appeared in the news, http://www.securitynewspaper.com/2018/07/14/malicious-software-packages-at-linux-repositories/, I don't think this deserves a critical rating. Are you going to give Chrome for linux a critical rating because it installs the google repository? As a system administrator you have to make a decision about how much you trust Google and Microsoft, Microsoft has contributed to the Linux kernel and has been supportive of open source of late. On Tue, Oct 2, 2018 at 11:10 AM Seth Arnold <seth.arnold@...onical.com> wrote: > On Tue, Sep 25, 2018 at 07:04:18PM +0200, Enrico Weigelt, metux IT consult > wrote: > > Operator's workaround: > > [..] > > c) use apt pinning to restrict the Microsoft repo to only the > > package 'skypeforlinux' > > Please note that the Debian package pre/post inst/rm scripts run with > full root privileges without any constraints on what they can do. > > If your threat model includes either a disclosure of Microsoft's APT > repository signing key or malicious use of this key by Microsoft then > this workaround does not address these threats. > > Thanks > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ -- Michael Lazin to gar auto estin noein te kai ennai _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists