From: Ted Zlatanov <tzz@lifelogs.com>
To: emacs-devel@gnu.org
Subject: Re: security of the emacs package system, elpa, melpa and marmalade
Date: Sun, 29 Sep 2013 06:12:19 -0400 [thread overview]
Message-ID: <87txh4ym0s.fsf@flea.lifelogs.com> (raw)
In-Reply-To: E1VPENg-00088J-Mw@fencepost.gnu.org
On Thu, 26 Sep 2013 12:25:32 -0400 Richard Stallman <rms@gnu.org> wrote:
RS> The basic question is, what sorts of things do we want security against?
RS> So far, we have put effort into security against
RS> * Attacks through files you might examine.
RS> * Surreptitious substitution of the wrong code
RS> instead of what you think you are downloading.
RS> If the existence of package repositories introduces new ways to do
RS> those things, we should do what is needed to make them safe.
We need to question whether relying on GPG is the right thing here, or
if we need an Emacs Lisp-based or C-based solution to authenticate
content signatures. I am leaning towards the latter after years of
experience with GPG and epg.el (without questioning the quality of
epg.el, which is very good). At the very least, spawning an external
process to verify a signature for every package download seems wasteful.
In addition, I think we need reviews of package updates before they are
rolled out on the GNU ELPA. It's a lot of work.
RS> Does anyone think we should start worrying about some other attack?
"Just because you're paranoid doesn't mean they're not after you."
Here is a quick list of other attacks. I am not posing conspiracy
theories; the below are all based on real-life compromises I have seen
in other software or in GNU Emacs.
(note that the GNU ELPA can be used by many versions of Emacs, some with
bugs that are fixed later but could be exploitable at that version)
- injection of binary blobs, even if well-intended
- injection of external resources, e.g. a URL which suddenly starts
generating an image that can exploit a libgif bug to compromise a
system (note that this can be easily targeted to a single IP)
- DDoS of a target website or service by using their resources (this
could be intentional or accidental)
- injection of code that is not GPLed or is otherwise legally
questionable
- targeted attacks, e.g. compromises that work on only one user's
machine but behave well otherwise
- exploits of the Emacs Lisp parser, e.g. imagine a bug in the hashtable
reader or a specially-formatted comment that breaks the symbol table
(I'm not aware of such bugs, this is just an example)
- exploits of file-local variables
- advice-based attacks (package X advises function F in a non-obvious
way to compromise security)
I hope this is useful.
Ted
next prev parent reply other threads:[~2013-09-29 10:12 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-23 7:30 security of the emacs package system, elpa, melpa and marmalade Matthias Dahl
2013-09-23 14:17 ` Stefan Monnier
2013-09-25 8:11 ` Matthias Dahl
2013-09-25 17:00 ` Stefan Monnier
2013-09-25 18:31 ` Matthias Dahl
2013-09-25 22:42 ` Bastien
2013-09-26 9:02 ` Matthias Dahl
2013-09-27 14:02 ` Bastien
2013-09-27 14:17 ` Matthias Dahl
2013-09-27 14:19 ` Bastien
2013-09-27 18:29 ` Matthias Dahl
2013-09-26 1:09 ` Stefan Monnier
2013-09-26 9:02 ` Matthias Dahl
2013-09-26 9:21 ` Óscar Fuentes
2013-09-26 14:41 ` Stefan Monnier
2013-09-27 14:17 ` Matthias Dahl
2013-09-27 15:47 ` Stefan Monnier
2013-09-28 14:15 ` Richard Stallman
2013-09-30 15:12 ` Matthias Dahl
2013-09-30 21:11 ` Richard Stallman
2013-09-30 15:31 ` Matthias Dahl
2013-09-26 1:12 ` Stephen J. Turnbull
2013-09-26 9:02 ` Matthias Dahl
2013-09-27 7:10 ` Stephen J. Turnbull
2013-09-27 14:18 ` Matthias Dahl
2013-09-27 17:31 ` Stephen J. Turnbull
2013-09-30 15:25 ` Matthias Dahl
2013-10-01 2:19 ` Stephen J. Turnbull
2013-09-27 20:12 ` chad
2013-09-26 9:31 ` Andreas Röhler
2013-09-26 16:25 ` Richard Stallman
2013-09-27 14:18 ` Matthias Dahl
2013-09-27 15:04 ` Óscar Fuentes
2014-09-13 17:57 ` Thomas Koch
2013-09-29 10:12 ` Ted Zlatanov [this message]
2013-09-29 9:53 ` Ted Zlatanov
2013-09-29 17:49 ` Daiki Ueno
2013-09-29 18:18 ` Ted Zlatanov
2013-09-30 13:25 ` Ted Zlatanov
2013-09-30 14:50 ` Stephen J. Turnbull
2013-09-30 15:10 ` Matthias Dahl
2013-09-30 17:18 ` Ted Zlatanov
2013-10-01 14:03 ` Matthias Dahl
2013-10-02 2:45 ` Stephen J. Turnbull
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87txh4ym0s.fsf@flea.lifelogs.com \
--to=tzz@lifelogs.com \
--cc=emacs-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).