From: Stefan Kangas <stefan@marxist.se>
To: Noam Postavsky <npostavs@gmail.com>
Cc: 19479@debbugs.gnu.org
Subject: bug#19479: Package manager vulnerable
Date: Sun, 6 Sep 2020 16:59:48 -0700 [thread overview]
Message-ID: <CADwFkm=ABM89QJDxGNSY5_HtNM66BRJk36GyBw=aDvywRwLLHA@mail.gmail.com> (raw)
In-Reply-To: <87k11pnap2.fsf@gmail.com>
Noam Postavsky <npostavs@gmail.com> writes:
> Stefan Kangas <stefan@marxist.se> writes:
>
>> Subject: [PATCH] Support package checksum verification
>>
>> This is the first step towards protecting users of package.el against
>> metadata replay attacks.
>
>> +(define-error 'bad-checksum "Failed to verify checksum")
>
> Would it be useful to have bad-signature and this one share a parent?
> (by the way, I kind of wonder why it's not called
> package-bad-signature).
Indeed, I fixed that.
>> + (cl-flet*
>> + ((supported-hashes
>> + (lambda ()
>
> Is this a function (rather than a variable) just so it can be in the
> same cl-flet* as do-check?
I'm not sure I understand; it should be a function instead of a variable
because there is logic in there to match `(secure-hash-algorithms)'
against `(package-desc-checksums pkg-desc)' and signal an error.
>> + (or (seq-filter (lambda (h) (memql (car h) (secure-hash-algorithms)))
>
> The list returned by secure-hash-algorithms includes sha1 and md5. This
> is a problem if we're going to rely on signing them. We should at least
> plan to have some way of filtering out some functions.
Yes, we currently would place the onus on the package archives to not
use those algorithms. We could choose to filter them out as completely
unacceptable, I think that makes sense.
>> + (a (cdr hash))
>> + (b (secure-hash algorithm (current-buffer))))
>
>> + (when-let ((a (package-desc-size pkg-desc))
>> + (b (string-bytes (buffer-string))))
>
> I risk descending into trivial nitpicking, but I think 'a' and 'b' are
> bit too generic. Something like 'expected' and 'actual' would make it
> harder to mix them up.
Thanks, fixed.
>> +(defmacro run-verify-checksums-test (verify-checksums checksums)
>> + "Run a test for `package-verify-checksums'."
>
>> +(ert-deftest package-test--verify-package-checksums-nil/ignore-invalid ()
>
> I think run-verify-checksums-test should be prefixed with package-test
> (whereas the individual test names could be prefixed with just package).
That's true. Fixed.
Thanks for the review!
Best regards,
Stefan Kangas
next prev parent reply other threads:[~2020-09-06 23:59 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <qRgJhF1EfrtAmBqmyTLGcOkoyCcHP7kWm6t8KBDxra2@local>
2015-01-01 12:38 ` bug#19479: Package manager vulnerable Kelly Dean
2015-01-04 20:00 ` Stefan Monnier
2015-01-05 1:11 ` Kelly Dean
2015-01-05 2:16 ` Stefan Monnier
2015-01-08 3:31 ` bug#19479: [PATCH] " Kelly Dean
2015-01-08 3:44 ` Glenn Morris
2015-01-08 5:29 ` Kelly Dean
2015-01-08 14:39 ` Stefan Monnier
2015-01-08 21:06 ` Kelly Dean
2015-01-09 2:37 ` Stefan Monnier
2015-01-09 6:59 ` bug#19479: Copyright issue (was: Re: bug#19479: Package manager vulnerable) Kelly Dean
2015-01-09 15:17 ` bug#19479: Copyright issue Stefan Monnier
2015-01-09 15:29 ` David Kastrup
2015-01-09 19:57 ` Kelly Dean
[not found] ` <EitH3yok1Itmynw5Ex1Vi3AuvkREurR1ccm1J5MQD4E@local>
2015-01-09 20:24 ` Glenn Morris
[not found] ` <0etwzzu2gd.fsf@fencepost.gnu.org>
2015-01-09 20:32 ` Glenn Morris
2015-02-24 8:47 ` bug#19479: Emacs package manager vulnerable to replay attacks Kelly Dean
2015-01-11 2:56 ` bug#19479: (on-topic) Re: bug#19479: Package manager vulnerable Kelly Dean
2015-01-20 21:18 ` bug#19479: Disclaimer is now on file at FSF Kelly Dean
2015-02-24 18:11 ` Glenn Morris
2017-09-03 1:10 ` bug#19479: Package manager vulnerable Glenn Morris
2019-10-04 9:49 ` Stefan Kangas
2020-05-06 0:55 ` Noam Postavsky
2020-09-06 23:59 ` Stefan Kangas [this message]
2020-09-07 14:14 ` Noam Postavsky
2020-09-07 18:11 ` Stefan Kangas
2020-11-21 23:51 ` bug#19479: Package manager vulnerable to replay attacks Stefan Kangas
2020-11-26 0:43 ` Stefan Monnier
2020-11-26 2:06 ` Stefan Kangas
2020-11-26 2:30 ` Stefan Monnier
2020-11-26 3:02 ` Stefan Kangas
2020-11-26 3:11 ` Stefan Monnier
2020-11-26 3:56 ` Jean Louis
2020-09-07 17:19 ` bug#19479: Package manager vulnerable Stefan Kangas
2020-09-07 23:54 ` Noam Postavsky
2020-09-08 8:10 ` Stefan Kangas
[not found] <E1Y8Bor-0003yH-Mu@fencepost.gnu.org>
2015-01-06 6:38 ` Kelly Dean
2015-01-07 4:27 ` Richard Stallman
2015-01-08 3:33 bug#19536: [PATCH] package-upload-buffer-internal fails for tar files Kelly Dean
2015-01-08 5:50 ` Stefan Monnier
2015-01-08 7:10 ` Kelly Dean
2015-01-08 11:40 ` bug#19479: Package manager vulnerable Kelly Dean
2015-02-18 1:03 ` bug#19536: package-upload-buffer-internal fails for tar files Kelly Dean
[not found] <0ylhjngoxs.fsf@fencepost.gnu.org>
2015-02-24 23:02 ` bug#19479: Disclaimer is now on file at FSF Kelly Dean
[not found] ` <5j6SB8Hmg5euoiN2VLa1iolGVWZxTvwQ1LnsgFUQiDZ@local>
2015-02-25 21:09 ` Glenn Morris
[not found] ` <yuegpd8zq2.fsf@fencepost.gnu.org>
2017-09-02 12:24 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADwFkm=ABM89QJDxGNSY5_HtNM66BRJk36GyBw=aDvywRwLLHA@mail.gmail.com' \
--to=stefan@marxist.se \
--cc=19479@debbugs.gnu.org \
--cc=npostavs@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).