From: Kelly Dean <kelly@prtime.org>
To: 19479@debbugs.gnu.org
Subject: bug#19479: Package manager vulnerable
Date: Thu, 01 Jan 2015 12:38:59 +0000 [thread overview]
Message-ID: <OYNAdwJtSjDBqdP8v3CmmCvPSb3L6y6lTYtZpQrTySr@local> (raw)
In-Reply-To: qRgJhF1EfrtAmBqmyTLGcOkoyCcHP7kWm6t8KBDxra2@local
Ivan Shmakov requested that I send this message to the bug list.
For details, see my message with subject ⌜Emacs package manager vulnerable to replay attacks⌝ to emacs-devel on 30 Dec 2014:
https://lists.gnu.org/archive/html/emacs-devel/2014-12/msg02319.html
Executive summary to fix the vulnerabilities:
0. Include a hash and length of each package's content in the package's record in archive-contents, rather than only including the package name and version number in that file as Emacs currently does. Barf if a package hash doesn't verify, regardless of whether any signatures verify.
(Length technically not necessary, but still generally useful, e.g. if there's a length mismatch then you know there's a content mismatch and you don't have to bother checking the hash.)
Stop distributing elpa-key signatures of packages, since they're superfluous if you have package hashes in archive-contents and have elpa-key signatures of archive-contents, and you already have the latter.
1. Include a timestamp of archive-contents in that file itself (so that the signature in archive-contents.sig depends on the timestamp, so that the timestamp can't be forged), and have Emacs ignore any new archive-contents that's older than the latest valid one that Emacs has already seen or is older than some specified limit. One thing I forgot to mention in my original message: have Emacs signal a warning if it ever sees an archive-contents dated in the future, which indicates misconfiguration of the client or server (or of course, some kind of mischief).
Optional alternative timestamp handling, as Ivan pointed out that Debian does (at least sometimes): Instead of expiring archive-contents after some limit configured in Emacs, put an explicit expiration date in it. Personally, I don't like server-supplied expiration dates, kind of for a similar reason that RMS doesn't like server-supplied Javascript, or maybe just because I have too many irritating memories of expired SSL certs.
Ivan suggested maybe filing those as separate bug reports, but it's pointless to fix either of them unless both are fixed, so it makes more sense to include them together.
One more feature: include in each version of archive-contents a hash (and length) of the previous version of that file. This isn't necessary for preventing any of the vulnerabilities above, but it's easy insurance that slightly mitigates the disaster if the metadata signing key is compromised. It's pointless unless both the above problems are fixed, so it makes sense to put it here.
BTW, check whether Emacs is vulnerable to endless-data attack. (I haven't.) If it is, then the length field mentioned above (which is a good idea in any case) will assist in early detection of this attack. This belongs here because... well no it doesn't, but I don't want to file a separate bug report for it because the report would be bogus if it turns out Emacs isn't vulnerable, and I've already filled my bogusness quota for the week.
next parent reply other threads:[~2015-01-01 12:38 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <qRgJhF1EfrtAmBqmyTLGcOkoyCcHP7kWm6t8KBDxra2@local>
2015-01-01 12:38 ` Kelly Dean [this message]
2015-01-04 20:00 ` bug#19479: Package manager vulnerable Stefan Monnier
2015-01-05 1:11 ` Kelly Dean
2015-01-05 2:16 ` Stefan Monnier
2015-01-08 3:31 ` bug#19479: [PATCH] " Kelly Dean
2015-01-08 3:44 ` Glenn Morris
2015-01-08 5:29 ` Kelly Dean
2015-01-08 14:39 ` Stefan Monnier
2015-01-08 21:06 ` Kelly Dean
2015-01-09 2:37 ` Stefan Monnier
2015-01-09 6:59 ` bug#19479: Copyright issue (was: Re: bug#19479: Package manager vulnerable) Kelly Dean
2015-01-09 15:17 ` bug#19479: Copyright issue Stefan Monnier
2015-01-09 15:29 ` David Kastrup
2015-01-09 19:57 ` Kelly Dean
[not found] ` <EitH3yok1Itmynw5Ex1Vi3AuvkREurR1ccm1J5MQD4E@local>
2015-01-09 20:24 ` Glenn Morris
[not found] ` <0etwzzu2gd.fsf@fencepost.gnu.org>
2015-01-09 20:32 ` Glenn Morris
2015-02-24 8:47 ` bug#19479: Emacs package manager vulnerable to replay attacks Kelly Dean
2015-01-11 2:56 ` bug#19479: (on-topic) Re: bug#19479: Package manager vulnerable Kelly Dean
2015-01-20 21:18 ` bug#19479: Disclaimer is now on file at FSF Kelly Dean
2015-02-24 18:11 ` Glenn Morris
2017-09-03 1:10 ` bug#19479: Package manager vulnerable Glenn Morris
2019-10-04 9:49 ` Stefan Kangas
2020-05-06 0:55 ` Noam Postavsky
2020-09-06 23:59 ` Stefan Kangas
2020-09-07 14:14 ` Noam Postavsky
2020-09-07 18:11 ` Stefan Kangas
2020-11-21 23:51 ` bug#19479: Package manager vulnerable to replay attacks Stefan Kangas
2020-11-26 0:43 ` Stefan Monnier
2020-11-26 2:06 ` Stefan Kangas
2020-11-26 2:30 ` Stefan Monnier
2020-11-26 3:02 ` Stefan Kangas
2020-11-26 3:11 ` Stefan Monnier
2020-11-26 3:56 ` Jean Louis
2020-09-07 17:19 ` bug#19479: Package manager vulnerable Stefan Kangas
2020-09-07 23:54 ` Noam Postavsky
2020-09-08 8:10 ` Stefan Kangas
[not found] <E1Y8Bor-0003yH-Mu@fencepost.gnu.org>
2015-01-06 6:38 ` Kelly Dean
2015-01-07 4:27 ` Richard Stallman
2015-01-08 3:33 bug#19536: [PATCH] package-upload-buffer-internal fails for tar files Kelly Dean
2015-01-08 5:50 ` Stefan Monnier
2015-01-08 7:10 ` Kelly Dean
2015-01-08 11:40 ` bug#19479: Package manager vulnerable Kelly Dean
2015-02-18 1:03 ` bug#19536: package-upload-buffer-internal fails for tar files Kelly Dean
[not found] <0ylhjngoxs.fsf@fencepost.gnu.org>
2015-02-24 23:02 ` bug#19479: Disclaimer is now on file at FSF Kelly Dean
[not found] ` <5j6SB8Hmg5euoiN2VLa1iolGVWZxTvwQ1LnsgFUQiDZ@local>
2015-02-25 21:09 ` Glenn Morris
[not found] ` <yuegpd8zq2.fsf@fencepost.gnu.org>
2017-09-02 12:24 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=OYNAdwJtSjDBqdP8v3CmmCvPSb3L6y6lTYtZpQrTySr@local \
--to=kelly@prtime.org \
--cc=19479@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).