Main menu:

Site search

Categories

Archive

Surprised by security vulnerabilities in my Debian desktop

I’ve been running Debian “Squeeze” (aka “stable”) on my desktop for years. With a single exception (Oracle’s VirtualBox) this computer only uses software packages from the Debian repositories, which in theory makes it simpler to keep the software up-to-date. I’ve trusted that periodic updates kept this software current and was surprised to find that the most vulnerable software — Java, the Flash plug-in, and a web browser — were not being updated.

Java

This investigation started when Iceweasel (Debian’s rebranded Firefox) warned me that my Java plug-in was insecure. It turns out there are known exploits circulating for Sun’s Java version 1.6.0_32 and earlier, while Debian’s sun-java6 package remains at version 1.6.0_26 from June of 2011.

After version 1.6.0_26, Oracle changed their licensing terms which disallowed Debian’s redistribution of this software. Debian has removed this package from the next stable release (“Wheezy”) but decided to keep it in the repository for the current stable release (“Squeeze”). It’s unfortunate that users of this package do not see a warning when updating their system to alert them of the need to download the update from Oracle or to remove the package.

I considered filing a security bug against the package to this effect, but I then learned that software in Debian’s “non-free” and “contrib” repositories are not supported by the security team:

Q: How is security handled for contrib and non-free?

A: The short answer is: it’s not. Contrib and non-free aren’t official parts of the Debian Distribution and are not released, and thus not supported by the security team. Some non-free packages are distributed without source or without a license allowing the distribution of modified versions. In those cases no security fixes can be made at all. If it is possible to fix the problem, and the package maintainer or someone else provides correct updated packages, then the security team will generally process them and release an advisory.

An advisory sure would be nice even if it can’t be fixed.

Incidentally, to determine what software packages you’ve installed from the “non-free” or “contrib” repositories, install the Debian package “vrms” (which stands for “Virtual Richard M. Stallman”).

There’s also an inconsistency in how Sun’s Java is handled as compared to Adobe’s Flash plug-in, which has a similar restriction on its redistribution. To install Adobe’s Flash plug-in, a Debian user can install the package flashplugin-nonfree. This package will then download the Flash plug-in directly from Adobe to your computer. I find this to be very convenient and it’s a shame there is no such package available for Sun’s Java in the Debian repository.

However, if you are willing to trust a relatively unknown third-party repository, a volunteer has released a similar package which installs the latest version of Sun’s Java on Debian.

Flash

This led me to examine the other brower plug-ins on this system. I was also surprised to learn that my Adobe Flash plug-in was very old. What I learned here is that the flashplugin-nonfree package will install the latest version of Adobe Flash, but it only does that at the time the package is installed. There was a bug filed against flashplugin-nonfree to address this, and sadly that bug was tagged “security, wontfix.”

You can address this by running “update-flashplugin-nonfree –install” periodically. I added it to a maintenance script that runs weekly.

Chromium web browser

About six months ago I switched from Debian’s Iceweasel (rebranded Firefox) to Chromium (the open source version of Google Chrome). The Iceweasel in Debian’s “stable” repository is version 3.5 with added security patches, which is quite old but functional. The Chromium in the “stable” repository is version 6.0.472.63~r59945-5+squeeze6, which — because it’s in the “stable” repository — I assumed was also being updated with security patches. So while researching the above I was yet again surprised to see a long list of unfixed remotely exploitable bugs listed for chromium-browser in the security tracker for Debian stable. At this time it has been almost a year since the last update in the “stable” repository, which is a long time for a web browser, and the package information is showing a total of 274 open security issues.

Since Debian is a volunteer-based organization, the best solution would be for me to step up and help update this package. That is unfortunately not something I can do right now, so I uninstalled chromium-browser and switched back to Iceweasel.

Iceweasel

I then stumbled upon mozilla.debian.net, which maintains newer versions of Iceweasel than is present in the Debian “stable” repository. This is nice because Iceweasel 3.5 (think of it as Firefox 3.5) is getting a little long in the tooth. Following the instructions on that page, I added

deb http://backports.debian.org/debian-backports squeeze-backports main
deb http://mozilla.debian.net/ squeeze-backports iceweasel-release

to /etc/apt/sources.list, and ran

apt-get update; apt-get install -t squeeze-backports iceweasel

This upgraded Iceweasel from version 3.5 to version 10.0. Version 10 is the latest from backports.debian.org, which on my system had a higher priority than mozilla.debian.net. To obtain version 14.0, I had to manually specify the highest version shown by “apt-cache policy iceweasel”, which is currently 14.0.1-1~bpo60+1:

apt-get install -t squeeze-backports iceweasel=14.0.1-1~bpo60+1

Since Iceweasel 3.5 received regular security updates, the upgrade to version 14.0 wasn’t strictly necessary. It’s much faster though.

Conclusion

This experience was rather eye-opening. Somewhere the way I’d picked up a set of erroneous assumptions about how software packages from the Debian repositories were supported from a security perspective, and I learned that I really need to keep a closer eye on my web browser and its plug-ins.

Comments

Comment from William
Time: February 24, 2013, 10:27 am

Thank you for the article, I’m very surprised as well!
Have you contacted the security team about it after all? did you get more info on this? are any of these security issues major or critical?

Comment from kevin
Time: February 25, 2013, 6:19 am

Hi William,
With respect to Java, the package maintainers told me they couldn’t do anything about it, since Oracle disallowed redistribution of their software. I asked about providing an alert so users would at least know their Java was insecure, and did not hear back.

For Flash, bug 475580 would have addressed this, but that bug was rejected by the package maintainers.

After finding that contrib and non-free are not supported by the security team, I did not see a point in contacting them regarding these packages. Needless to say I was a little discouraged by this time.

Were these security issues major or critical? At the time I wrote this, my system had versions of Java, Flash, and Chromium that were vulnerable to known remotely exploitable bugs, and many organizations (including even the U.S. “Department of Homeland Security”) had recommended disabling Java altogether due to active exploits. So I’d call that a yes.

Thanks for your comment.
Kevin

Write a comment