From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.ciao.gmane.io!not-for-mail From: Noam Postavsky Newsgroups: gmane.emacs.bugs Subject: bug#19479: Package manager vulnerable Date: Tue, 05 May 2020 20:55:53 -0400 Message-ID: <87k11pnap2.fsf@gmail.com> References: Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="ciao.gmane.io:159.69.161.202"; logging-data="112033"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.0.91 (gnu/linux) Cc: 19479@debbugs.gnu.org To: Stefan Kangas Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Wed May 06 02:57:10 2020 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jW8N3-000T1Z-IZ for geb-bug-gnu-emacs@m.gmane-mx.org; Wed, 06 May 2020 02:57:09 +0200 Original-Received: from localhost ([::1]:40616 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jW8N2-0003NB-7r for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 05 May 2020 20:57:08 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:36432) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jW8Mw-0003Mr-2k for bug-gnu-emacs@gnu.org; Tue, 05 May 2020 20:57:02 -0400 Original-Received: from debbugs.gnu.org ([209.51.188.43]:54598) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jW8Mv-0001mi-Pf for bug-gnu-emacs@gnu.org; Tue, 05 May 2020 20:57:01 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jW8Mv-0000P3-OF for bug-gnu-emacs@gnu.org; Tue, 05 May 2020 20:57:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Noam Postavsky Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Wed, 06 May 2020 00:57:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19479 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 19479-submit@debbugs.gnu.org id=B19479.15887265791487 (code B ref 19479); Wed, 06 May 2020 00:57:01 +0000 Original-Received: (at 19479) by debbugs.gnu.org; 6 May 2020 00:56:19 +0000 Original-Received: from localhost ([127.0.0.1]:37911 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jW8ME-0000Nu-NA for submit@debbugs.gnu.org; Tue, 05 May 2020 20:56:18 -0400 Original-Received: from mail-qk1-f172.google.com ([209.85.222.172]:36808) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jW8MC-0000NU-FU for 19479@debbugs.gnu.org; Tue, 05 May 2020 20:56:17 -0400 Original-Received: by mail-qk1-f172.google.com with SMTP id q7so345387qkf.3 for <19479@debbugs.gnu.org>; Tue, 05 May 2020 17:56:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=GOKVrz1heZqX6czkgmGz75i1BB/9zY0nRVToJl1SPEc=; b=u1hyjlhoxc7ST7SHq0MF+PrpY91vmLn2wt84i9BUjtvI2OQ9BkgADgVRutgoipKNhg r6l8xo+CFaYCsr0IvaCOuRyY6c/w6cRoEh6uUbSvhyd9CAsj1hncaiQCQZAWPtYe2fXB M0b5LkFSfjRJJPfCALWHGpTSBxxEFJKzTJQUtGLb/94K8J1bIiuv44MCq2psBv6fUSM8 Q83uQyvuWKHTPe0uOTEExPCKKUo19oijcbJ+KnfKAeCFIVR/2Pse8ALOdr3zK7TQMCyQ PYnO+wg47h4VZ7mvdp61D83B58au9pES1lOPj9TBqGO9PQxmzVzosAto6mV/toKPkaan bI/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=GOKVrz1heZqX6czkgmGz75i1BB/9zY0nRVToJl1SPEc=; b=O3PiMFRdOGjmlGmKy1Q3MsPX+/bwDn7VEuyIPqfDp8E1mhWEMANyn0W0LoFTZcJFCS cQkKJLVIOTEJ6FHh1V0Zdu35P7Q9ZYoKiJduvvEm2bryAlEOjgtLyaRH+9ZIQOQJfmi8 9bvW7uc811+3W+usfMf8v9Ffnii///WknzU8sjESCbkeDnm6W03CFbQlZnEAn17/OAhA dfkYWJRiYdaSjXMVVcR1L91K0gWf+l2vwpkiiW5fQAgg0aI/AIh/fo+VpsJV28H467R0 V20avkHcgkVPk5BxJU4YHKvhxSVg8KFF6w29vuE3jrlYjaMVAn67nosvioWUFVT3fYU1 sXnQ== X-Gm-Message-State: AGi0PuYLI/8DT3FMujJ8VSf/sGgUJXRqhLrRu9D/+mr9jxPM7qivFZOr Y9vlWYt79puSlB1zTV456PxB4djb X-Google-Smtp-Source: APiQypLHRUemtbK5zo/GCAcvF87p18brsCVauLPn4z8fe1O4lKxhj/1M6Z9yJ7w3YGlV/rJQTerKyQ== X-Received: by 2002:a05:620a:2159:: with SMTP id m25mr4495690qkm.382.1588726570463; Tue, 05 May 2020 17:56:10 -0700 (PDT) Original-Received: from minid (cbl-45-2-119-47.yyz.frontiernetworks.ca. [45.2.119.47]) by smtp.gmail.com with ESMTPSA id u11sm159784qtj.10.2020.05.05.17.56.08 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Tue, 05 May 2020 17:56:09 -0700 (PDT) In-Reply-To: (Stefan Kangas's message of "Fri, 4 Oct 2019 11:49:54 +0200") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:179777 Archived-At: Stefan Kangas writes: > Subject: [PATCH] Support package checksum verification > > This is the first step towards protecting users of package.el against > metadata replay attacks. > +(define-error 'bad-checksum "Failed to verify checksum") Would it be useful to have bad-signature and this one share a parent? (by the way, I kind of wonder why it's not called package-bad-signature). > + (cl-flet* > + ((supported-hashes > + (lambda () Is this a function (rather than a variable) just so it can be in the same cl-flet* as do-check? > + (or (seq-filter (lambda (h) (memql (car h) (secure-hash-algorithms))) The list returned by secure-hash-algorithms includes sha1 and md5. This is a problem if we're going to rely on signing them. We should at least plan to have some way of filtering out some functions. > + (a (cdr hash)) > + (b (secure-hash algorithm (current-buffer)))) > + (when-let ((a (package-desc-size pkg-desc)) > + (b (string-bytes (buffer-string)))) I risk descending into trivial nitpicking, but I think 'a' and 'b' are bit too generic. Something like 'expected' and 'actual' would make it harder to mix them up. > +(defmacro run-verify-checksums-test (verify-checksums checksums) > + "Run a test for `package-verify-checksums'." > +(ert-deftest package-test--verify-package-checksums-nil/ignore-invalid () I think run-verify-checksums-test should be prefixed with package-test (whereas the individual test names could be prefixed with just package).