Meanwhile in Arch land (possibly other distros as well), the fwupd package (which I imagine to be a fairly common package to be installed among the user base) has been silently configured to depend on passim, which spins up an open web server on 0.0.0.0:27500[1] without any(!) explicit user consent whatsover. Passim then uses GnuTLS, which is famous for containing more holes than Swiss cheese [2][3].
Absolutely insane to me, and I would not be surprised if there's an xz type of exploit hidden somewhere in the chain.
The "verification" downloads the file twice... seems like one could easily make a custom HTTP server to change the second consecutive response to a malicious one.
Absolutely insane to me, and I would not be surprised if there's an xz type of exploit hidden somewhere in the chain.
[1]: https://github.com/fwupd/fwupd/issues/6721
[2]: https://news.ycombinator.com/item?id=7347500
[3]: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=gnutls