stop shipping "update-pciids"

Bug #1815237 reported by Eric Desrochers on 2019-02-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pciutils (Ubuntu)
Low
Eric Desrochers
Trusty
Low
Eric Desrochers
Xenial
Low
Eric Desrochers
Bionic
Low
Eric Desrochers
Cosmic
Low
Eric Desrochers

Bug Description

[Freenode #ubuntu-release discussion]

[13:51:02] <slashd> vorlon, I also puzzle what would be the good practice, SRU an update of pci.ids or leave the user the decision to use update-pciids which does it automatically
[13:52:13] <infinity> slashd: That second option isn't a great one, for many reasons.
[13:52:21] <vorlon> slashd: ^^ I concur
[13:52:55] <infinity> slashd: The two that come to mind is (a) it alters a dpkg-managed file in /usr/share and (b) it's an entirely unchecked random download over http.
[13:53:17] <infinity> In fact, I'm a bit shocked we even ship that script at all, or haven't at least neutered it in some way.
[13:54:40] <infinity> That's just begging for an injection attack where intentionally-corrupted pci.ids data exploits something goofy in a library that reads it.
[13:55:00] <slashd> infinity, good point
[13:56:05] <infinity> If we were to give that as an option, we'd need to alter the script (and things that read that data) to use a second user-writable location in /var, and we'd need upstream to provide a signed/verifiable source we can pull from.
[13:56:23] <infinity> But I think "stop shipping the script on the PATH" is a saner plan.
[13:58:26] <infinity> slashd: Maybe get some input from someone like mdeslaur or sarnold to see if they think I'm being overly paranoid, but I think having a script on path that downloads random junk over http and slams it in a file in /usr/share that gets read by dozens of other binaries is pretty sketchy.
[13:58:40] <infinity> slashd: So I'd be +1 on just nuking it.
[13:59:08] <slashd> infinity, ack will try to have a ACK for security team as well, but sound like a good plan
[13:59:14] <infinity> slashd: Or moving it to /use/share/doc/pciutils/examples
[14:00:23] <slashd> infinity, vorlon ok thanks a lot for your help
[14:00:28] <mdeslaur> oh ew ew ew ew
[14:01:01] <mdeslaur> yeah, moving it to examples would be a good idea
[14:01:21] <slashd> mdeslaur, ack tks

SRU team: +1
Security team: +1

Eric Desrochers (slashd) on 2019-02-08
Changed in pciutils (Ubuntu):
assignee: nobody → Eric Desrochers (slashd)
importance: Undecided → Low
status: New → In Progress
summary: - drop "update-pciids" for security reasons
+ stop shipping "update-pciids"
Eric Desrochers (slashd) on 2019-02-08
Changed in pciutils (Ubuntu Trusty):
assignee: nobody → Eric Desrochers (slashd)
Changed in pciutils (Ubuntu Xenial):
assignee: nobody → Eric Desrochers (slashd)
Changed in pciutils (Ubuntu Bionic):
assignee: nobody → Eric Desrochers (slashd)
Changed in pciutils (Ubuntu Cosmic):
assignee: nobody → Eric Desrochers (slashd)
Changed in pciutils (Ubuntu Trusty):
importance: Undecided → Low
Changed in pciutils (Ubuntu Xenial):
importance: Undecided → Low
Changed in pciutils (Ubuntu Bionic):
importance: Undecided → Low
Changed in pciutils (Ubuntu Cosmic):
importance: Undecided → Low
Changed in pciutils (Ubuntu Trusty):
status: New → In Progress
Changed in pciutils (Ubuntu Xenial):
status: New → In Progress
Changed in pciutils (Ubuntu Bionic):
status: New → In Progress
Changed in pciutils (Ubuntu Cosmic):
status: New → In Progress
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers