From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.bugs Subject: bug#19479: Package manager vulnerable Date: Sun, 04 Jan 2015 21:16:00 -0500 Message-ID: References: NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1420424243 22678 80.91.229.3 (5 Jan 2015 02:17:23 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 5 Jan 2015 02:17:23 +0000 (UTC) Cc: 19479@debbugs.gnu.org To: Kelly Dean Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Jan 05 03:17:14 2015 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Y7xEH-0004V6-Q3 for geb-bug-gnu-emacs@m.gmane.org; Mon, 05 Jan 2015 03:17:14 +0100 Original-Received: from localhost ([::1]:58771 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y7xEG-0007i6-TT for geb-bug-gnu-emacs@m.gmane.org; Sun, 04 Jan 2015 21:17:12 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:49114) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y7xEA-0007i1-3j for bug-gnu-emacs@gnu.org; Sun, 04 Jan 2015 21:17:10 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y7xE6-0001tM-T6 for bug-gnu-emacs@gnu.org; Sun, 04 Jan 2015 21:17:06 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:55693) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y7xE6-0001tI-Pg for bug-gnu-emacs@gnu.org; Sun, 04 Jan 2015 21:17:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Y7xE6-0000gO-Db for bug-gnu-emacs@gnu.org; Sun, 04 Jan 2015 21:17:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Monnier Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 05 Jan 2015 02:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19479 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 19479-submit@debbugs.gnu.org id=B19479.14204241682523 (code B ref 19479); Mon, 05 Jan 2015 02:17:02 +0000 Original-Received: (at 19479) by debbugs.gnu.org; 5 Jan 2015 02:16:08 +0000 Original-Received: from localhost ([127.0.0.1]:36826 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y7xDE-0000ed-DZ for submit@debbugs.gnu.org; Sun, 04 Jan 2015 21:16:08 -0500 Original-Received: from ironport2-out.teksavvy.com ([206.248.154.181]:28491) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y7xDC-0000eT-1U for 19479@debbugs.gnu.org; Sun, 04 Jan 2015 21:16:06 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AjwPAOwQflRFpY0B/2dsb2JhbABbgweDYIVaxR0EAgKBJBcBAQEBAQF8hAMBAQMBViMFCws0EhQYDSQuiBwJ1lkBAQEBBgEBAQEejTaDOQeESAWLAYxVBYVXjHSCf4IKgXiEGSGCdwEBAQ X-IPAS-Result: AjwPAOwQflRFpY0B/2dsb2JhbABbgweDYIVaxR0EAgKBJBcBAQEBAQF8hAMBAQMBViMFCws0EhQYDSQuiBwJ1lkBAQEBBgEBAQEejTaDOQeESAWLAYxVBYVXjHSCf4IKgXiEGSGCdwEBAQ X-IronPort-AV: E=Sophos;i="5.07,502,1413259200"; d="scan'208";a="106581645" Original-Received: from 69-165-141-1.dsl.teksavvy.com (HELO pastel.home) ([69.165.141.1]) by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 04 Jan 2015 21:16:05 -0500 Original-Received: by pastel.home (Postfix, from userid 20848) id 46E7D2527; Sun, 4 Jan 2015 21:16:00 -0500 (EST) In-Reply-To: (Kelly Dean's message of "Mon, 05 Jan 2015 01:11:40 +0000") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:98020 Archived-At: > If filenames include version numbers and the version numbers are never > reused, The ELPA system in general does not enforce that. But the GNU ELPA scripts do, and other ELPA servers work in a way that should generally make sure this is also the case. > then your solution does prevent package replay attacks. Since Emacs > packages already include a Version header (and the package name), you could > actually do your proposed verification using that header, without changing > the way signatures are currently made, which is a solution I addressed in my > original emacs-devel message. Indeed, I realized this just after I sent my message. So we can fix this problem simply by changing package.el so as to check that the name&version of the downloaded file match the name&version contained therein. Patch welcome. > But remember, none of the above prevents metadata replay attacks. If the > user himself is specifying the metadata (e.g. you manually request Emacs > 24.4 because you know that's the latest version), then verification to > prevent metadata replay attacks isn't the computer's job. But when the user > just says to update some package(s) to the latest version, without > specifying the version, then it is the computer's job. For this, > put a timestamp of the archive-contents file into the file itself. Agreed. It should be fairly easy to add a timestamp in there without causing any backward incompatibility. Stefan