From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Stefan Kangas Newsgroups: gmane.emacs.bugs Subject: bug#19479: Package manager vulnerable to replay attacks Date: Sat, 21 Nov 2020 15:51:28 -0800 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="36324"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) Cc: Stefan Monnier , Noam Postavsky To: 19479@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sun Nov 22 00:52:10 2020 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kgcfq-0009JN-9j for geb-bug-gnu-emacs@m.gmane-mx.org; Sun, 22 Nov 2020 00:52:10 +0100 Original-Received: from localhost ([::1]:54308 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kgcfp-0006FO-Bj for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 21 Nov 2020 18:52:09 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:48214) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kgcfi-0006F3-UQ for bug-gnu-emacs@gnu.org; Sat, 21 Nov 2020 18:52:02 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]:35073) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kgcfi-0000Tl-Gw for bug-gnu-emacs@gnu.org; Sat, 21 Nov 2020 18:52:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1kgcfi-0003N6-BC for bug-gnu-emacs@gnu.org; Sat, 21 Nov 2020 18:52:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Kangas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 21 Nov 2020 23:52:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19479 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 19479-submit@debbugs.gnu.org id=B19479.160600269812922 (code B ref 19479); Sat, 21 Nov 2020 23:52:02 +0000 Original-Received: (at 19479) by debbugs.gnu.org; 21 Nov 2020 23:51:38 +0000 Original-Received: from localhost ([127.0.0.1]:46618 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kgcfJ-0003ML-K6 for submit@debbugs.gnu.org; Sat, 21 Nov 2020 18:51:37 -0500 Original-Received: from mail-ej1-f47.google.com ([209.85.218.47]:41257) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1kgcfH-0003M9-Jl for 19479@debbugs.gnu.org; Sat, 21 Nov 2020 18:51:36 -0500 Original-Received: by mail-ej1-f47.google.com with SMTP id gj5so18151526ejb.8 for <19479@debbugs.gnu.org>; Sat, 21 Nov 2020 15:51:35 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:user-agent :mime-version:date:message-id:subject:to:cc :content-transfer-encoding; bh=Z5epYEW1q/KAq5ru/6ahSdgX19ecYqJgO2XQ0/AMCfk=; b=FBeiBHZI0PE2AeaVZA7OWnSuCifgv8Yx1MNdksvkt1mXHCrpQh/FEMq8wFISA3fcze rO74qBf1bns0TJNJeSffoOx/AbMstNSeV6nlbZkNBM0rWXxaafJGBTgxravXuTzofWvn tWUKqCk3z42XTzhWSMcWg0FJn0c9pGs3jL0KV4Cd3VMNqGFRkFgJEee9jVGmiirohlIg FCJdkBzex///Gd9YKkA9HyaReMiby1ymPJUEs2xRjFjg5Wh4rWfE9ryUWsClUN7AoiKh BtVEWVm+a6z+SDDshLP3ceD8GHacUn+My1fZL7qxi0ZFAlKiqMp8T1ngPuXnoI0a/Tz3 Ju9A== X-Gm-Message-State: AOAM531ldVZay7CpkaRsY5TtoN2GEjyaOMtUojj/2Olp36InHddciie9 OKc3U6IWOHjWNci12Vz4oHKM9Iwe70huIKjakbLGkGtb X-Google-Smtp-Source: ABdhPJxn0UGQFY6GO7RJ3nOXoQSJVkpBF0onBM15e0n8Qbc4EmZPrz37FZX31gK1tRulOiki4rGm58KGUHr/lww6UJk= X-Received: by 2002:a17:906:1918:: with SMTP id a24mr15158299eje.432.1606002689379; Sat, 21 Nov 2020 15:51:29 -0800 (PST) Original-Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Sat, 21 Nov 2020 15:51:28 -0800 In-Reply-To: (Stefan Kangas's message of "Fri, 4 Oct 2019 11:49:54 +0200") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.io gmane.emacs.bugs:193827 Archived-At: I have just pushed the branch scratch/package-security with proper support for timestamps, as discussed below. More details are in the commit messages and the proposed documentation changes. Once this is merged, I hope to work on adding support for this to both GNU ELPA and NonGNU ELPA. I would like to merge this change to the master branch. Is it sufficient to ask for reviews and comments here first, or is there anything else I should do in addition? Any comments and feedback on all this is of course more than welcome. Please also see my previous message about this change below. Stefan Kangas writes: > Kelly Dean writes: > >> Ivan Shmakov requested that I send this message to the bug list. >> >> For details, see my message with subject =E2=8C=9CEmacs package manager = vulnerable to replay attacks=E2=8C=9D to emacs-devel on 30 Dec 2014: >> https://lists.gnu.org/archive/html/emacs-devel/2014-12/msg02319.html >> >> Executive summary to fix the vulnerabilities: >> >> 0. Include a hash and length of each package's content in the package's = record >> in archive-contents, rather than only including the package name and ver= sion >> number in that file as Emacs currently does. Barf if a package hash does= n't >> verify, regardless of whether any signatures verify. >> (Length technically not necessary, but still generally useful, e.g. if >> there's a length mismatch then you know there's a content mismatch and >> you don't have to bother checking the hash.) > > I have implemented the first part of the protection against metadata > replay attacks in the attached patch: support for checksum (or hash) > verification. This change is backwards-compatible; the new fields can > be added to "archive-contents" file without impacting old clients. > I've not yet updated documentation, NEWS, etc. but will get to that > next. > > I introduce a new user option `package-verify-checksums' that controls > this new behaviour. The default is 'allow-missing', which only > carries out this check if there are checksums in "archive-contents", > and does nothing otherwise. In itself, this does nothing to protect > against metadata replay attacks (but might protect against data > corruption). You need to set `package-verify-checksums' to t, and > implement timestamping (discussed below). > > I still suggest to stick with this default for Emacs 27.1, or at least > until common package archives can catch up. Once this is implemented > in GNU ELPA and MELPA, it makes more sense to move to a stricter > default. Otherwise, the transition will be very bumpy. I therefore > suggest to discuss stricter defaults later. > > (BTW, I didn't bother fixing the package-x.el code for this patch, > since it seems like it's not that widely used. It will work as > before, but lack support for adding the checksums automatically.) > >> 1. Include a timestamp of archive-contents in that file itself (so that = the >> signature in archive-contents.sig depends on the timestamp, so that the >> timestamp can't be forged), and have Emacs ignore any new archive-conten= ts >> that's older than the latest valid one that Emacs has already seen or is= older >> than some specified limit. One thing I forgot to mention in my original = message: >> have Emacs signal a warning if it ever sees an archive-contents dated in= the >> future, which indicates misconfiguration of the client or server (or of = course, >> some kind of mischief). > > To protect against metadata replay attacks, it is correct that we need > timestamps too. I haven't done that in this first patch, but I hope > to do it in a following patch. I wanted to get this first part done > before I started working on that. > > My current best idea for how to do it is one which AFAICT haven't been > raised in this thread before: to add a comment with an RFC3339 > timestamp to the top of the "archive-contents" file: > > ;; Last-Updated: 2019-10-01T15:32:55.000Z > > This will be ignored by older versions of Emacs, since package.el uses > (read (current-buffer)) to read this file. New versions will have > an easy time parsing this header, caching the value, and refusing to > update the package cache if the timestamp is older than one we have > already seen. With that, we would have implemented protection > against metadata replay attacks.