Currently a story about a possible Linux DoS scenario is making the rounds.
Some self-anointed security bloggers are snapping it up and are making link-baiting ado about it with headlines like "Dangerous 0DAY Denial-of-Service Attack Against Apt".
The whole truth is, of course, a lot less alarming.
Debian and derivative distros use a package management system called dpkg which in turn is controlled through a collection of front-end methods known under the collective name of apt.
Some enterprising folks coded up utils that allow browsers to pass URLs using the
apt:// protocol to a handler. Those utils are apturl and aptlinex, depending on which distro you run. The procedure required to get the whole shebang working is enough to scare off any casual user.
In addition to installing the said utils, which is the easy part thanks to apt-get, the user also has to add 2 string values and 2 boolean values to about:config, the rather daunting configuration database of Firefox.
Next the user has to click on a link using the apt protocol to teach the browser that he/she always wants it to be passed to the protocol handling util.
Since the running of apt requires root privileges or sudo the user also has to confirm a gksudo dialoque everytime he/she clicks on a link.
I sincerely doubt that there are many users who would want to go through all the above in a world where installation of any piece of software is only as far away as
sudo apt-get install package-name.
Go ahead and google for any apt://package-name URLs. Not a lot around, if any. (Ahem, I was slightly wrong. See update at end of post.)
So, what’s the danger?
Well, we all know that the universe is pretty good at breeding advanced persistent dummies who just can’t resist peeing on the electric fence.
These are the people who will have their browsers configured to handle the apt protocol and who will click on anything promising them a "great app or tool".
So yes, there is danger.
With an apt link that contains a sufficiently long string (app. 10 k chars) you can crash the windowing server (xorg). But this only works if and ONLY IF the target’s compositing manager happens to be compiz.
Crashing a piece of vital infrastructure like xorg, which runs with root privileges, can possibly open a route for a real and serious exploit.
Alas, as mentioned above, it is not possible on a sanely configured install of any Debian derivative. And plain vanilla Debian is configured sanely by default.
Update 2011-05-20: I just looked at a very popular blog for Ubuntu users. Full of
apt:// links and no mention of a possible DoS. I guess that’s why they are called Ubuntards.