From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Kelly Dean Newsgroups: gmane.emacs.bugs Subject: bug#19479: Package manager vulnerable Date: Thu, 01 Jan 2015 12:38:59 +0000 Message-ID: References: NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1420116017 30114 80.91.229.3 (1 Jan 2015 12:40:17 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Thu, 1 Jan 2015 12:40:17 +0000 (UTC) To: 19479@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Jan 01 13:40:11 2015 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Y6f2w-00060M-Ko for geb-bug-gnu-emacs@m.gmane.org; Thu, 01 Jan 2015 13:40:10 +0100 Original-Received: from localhost ([::1]:48405 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y6f2v-0005ER-Qd for geb-bug-gnu-emacs@m.gmane.org; Thu, 01 Jan 2015 07:40:09 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56471) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y6f2s-0005Cp-0A for bug-gnu-emacs@gnu.org; Thu, 01 Jan 2015 07:40:07 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y6f2o-0002fa-R6 for bug-gnu-emacs@gnu.org; Thu, 01 Jan 2015 07:40:05 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:52956) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y6f2o-0002fM-NR for bug-gnu-emacs@gnu.org; Thu, 01 Jan 2015 07:40:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Y6f2o-0005Xj-DN for bug-gnu-emacs@gnu.org; Thu, 01 Jan 2015 07:40:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Kelly Dean Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 01 Jan 2015 12:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 19479 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.142011600021293 (code B ref -1); Thu, 01 Jan 2015 12:40:02 +0000 Original-Received: (at submit) by debbugs.gnu.org; 1 Jan 2015 12:40:00 +0000 Original-Received: from localhost ([127.0.0.1]:34089 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y6f2l-0005XM-Rl for submit@debbugs.gnu.org; Thu, 01 Jan 2015 07:40:00 -0500 Original-Received: from eggs.gnu.org ([208.118.235.92]:54731) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y6f2i-0005XD-9h for submit@debbugs.gnu.org; Thu, 01 Jan 2015 07:39:57 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y6f2g-0002ca-Ei for submit@debbugs.gnu.org; Thu, 01 Jan 2015 07:39:55 -0500 Original-Received: from lists.gnu.org ([2001:4830:134:3::11]:56488) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y6f2g-0002cW-CT for submit@debbugs.gnu.org; Thu, 01 Jan 2015 07:39:54 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:56453) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y6f2e-0005BI-Qq for bug-gnu-emacs@gnu.org; Thu, 01 Jan 2015 07:39:54 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y6f2b-0002YZ-Jt for bug-gnu-emacs@gnu.org; Thu, 01 Jan 2015 07:39:52 -0500 Original-Received: from relay4-d.mail.gandi.net ([2001:4b98:c:538::196]:45559) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y6f2b-0002YE-B9 for bug-gnu-emacs@gnu.org; Thu, 01 Jan 2015 07:39:49 -0500 Original-Received: from mfilter23-d.gandi.net (mfilter23-d.gandi.net [217.70.178.151]) by relay4-d.mail.gandi.net (Postfix) with ESMTP id AA192172055 for ; Thu, 1 Jan 2015 13:39:48 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mfilter23-d.gandi.net Original-Received: from relay4-d.mail.gandi.net ([217.70.183.196]) by mfilter23-d.gandi.net (mfilter23-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id glmg8rq7mzjV for ; Thu, 1 Jan 2015 13:39:47 +0100 (CET) X-Originating-IP: 162.248.99.114 Original-Received: from localhost (114-99-248-162-static.reverse.queryfoundry.net [162.248.99.114]) (Authenticated sender: kelly@prtime.org) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id 06A0F172071 for ; Thu, 1 Jan 2015 13:39:45 +0100 (CET) X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value). X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:97913 Archived-At: Ivan Shmakov requested that I send this message to the bug list. For details, see my message with subject =E2=8C=9CEmacs package manager v= ulnerable to replay attacks=E2=8C=9D to emacs-devel on 30 Dec 2014: https://lists.gnu.org/archive/html/emacs-devel/2014-12/msg02319.html Executive summary to fix the vulnerabilities: 0. Include a hash and length of each package's content in the package's r= ecord in archive-contents, rather than only including the package name an= d version number in that file as Emacs currently does. Barf if a package = hash doesn't verify, regardless of whether any signatures verify. (Length technically not necessary, but still generally useful, e.g. if th= ere's a length mismatch then you know there's a content mismatch and you = don't have to bother checking the hash.) Stop distributing elpa-key signatures of packages, since they're superflu= ous if you have package hashes in archive-contents and have elpa-key sign= atures of archive-contents, and you already have the latter. 1. Include a timestamp of archive-contents in that file itself (so that t= he signature in archive-contents.sig depends on the timestamp, so that th= e timestamp can't be forged), and have Emacs ignore any new archive-conte= nts that's older than the latest valid one that Emacs has already seen or= is older than some specified limit. One thing I forgot to mention in my = original message: have Emacs signal a warning if it ever sees an archive-= contents dated in the future, which indicates misconfiguration of the cli= ent or server (or of course, some kind of mischief). Optional alternative timestamp handling, as Ivan pointed out that Debian = does (at least sometimes): Instead of expiring archive-contents after som= e limit configured in Emacs, put an explicit expiration date in it. Perso= nally, I don't like server-supplied expiration dates, kind of for a simil= ar reason that RMS doesn't like server-supplied Javascript, or maybe just= because I have too many irritating memories of expired SSL certs. Ivan suggested maybe filing those as separate bug reports, but it's point= less to fix either of them unless both are fixed, so it makes more sense = to include them together. One more feature: include in each version of archive-contents a hash (and= length) of the previous version of that file. This isn't necessary for p= reventing any of the vulnerabilities above, but it's easy insurance that = slightly mitigates the disaster if the metadata signing key is compromise= d. It's pointless unless both the above problems are fixed, so it makes s= ense to put it here. BTW, check whether Emacs is vulnerable to endless-data attack. (I haven't= .) If it is, then the length field mentioned above (which is a good idea = in any case) will assist in early detection of this attack. This belongs = here because... well no it doesn't, but I don't want to file a separate b= ug report for it because the report would be bogus if it turns out Emacs = isn't vulnerable, and I've already filled my bogusness quota for the week= .