From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Kelly Dean Newsgroups: gmane.emacs.bugs Subject: bug#19479: Package manager vulnerable Date: Tue, 06 Jan 2015 06:38:12 +0000 Message-ID: <7H65S0MOziz4Z4bzCiATJJDvxaiWHmPOI3K95M87DGM@local> References: NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: ger.gmane.org 1420526531 2711 80.91.229.3 (6 Jan 2015 06:42:11 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 6 Jan 2015 06:42:11 +0000 (UTC) Cc: 19479@debbugs.gnu.org To: Richard Stallman Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Jan 06 07:42:06 2015 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Y8NoJ-0002y5-UB for geb-bug-gnu-emacs@m.gmane.org; Tue, 06 Jan 2015 07:40:12 +0100 Original-Received: from localhost ([::1]:35106 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y8NoI-0005aU-Vg for geb-bug-gnu-emacs@m.gmane.org; Tue, 06 Jan 2015 01:40:10 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:33565) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y8NoF-0005YB-HM for bug-gnu-emacs@gnu.org; Tue, 06 Jan 2015 01:40:08 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y8NoC-0002aD-9i for bug-gnu-emacs@gnu.org; Tue, 06 Jan 2015 01:40:07 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:56805) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y8NoC-0002ZX-71 for bug-gnu-emacs@gnu.org; Tue, 06 Jan 2015 01:40:04 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Y8NoB-00005c-Dg for bug-gnu-emacs@gnu.org; Tue, 06 Jan 2015 01:40:03 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Kelly Dean Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 06 Jan 2015 06:40:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19479 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 19479-submit@debbugs.gnu.org id=B19479.142052634832745 (code B ref 19479); Tue, 06 Jan 2015 06:40:03 +0000 Original-Received: (at 19479) by debbugs.gnu.org; 6 Jan 2015 06:39:08 +0000 Original-Received: from localhost ([127.0.0.1]:37938 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y8NnH-0008W4-EJ for submit@debbugs.gnu.org; Tue, 06 Jan 2015 01:39:08 -0500 Original-Received: from relay5-d.mail.gandi.net ([217.70.183.197]:35980) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y8NnA-0008VX-U6 for 19479@debbugs.gnu.org; Tue, 06 Jan 2015 01:39:02 -0500 Original-Received: from mfilter9-d.gandi.net (mfilter9-d.gandi.net [217.70.178.138]) by relay5-d.mail.gandi.net (Postfix) with ESMTP id 161F641C05D; Tue, 6 Jan 2015 07:38:59 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mfilter9-d.gandi.net Original-Received: from relay5-d.mail.gandi.net ([217.70.183.197]) by mfilter9-d.gandi.net (mfilter9-d.gandi.net [10.0.15.180]) (amavisd-new, port 10024) with ESMTP id 5WPg4xNyBOOO; Tue, 6 Jan 2015 07:38:57 +0100 (CET) X-Originating-IP: 162.248.99.114 Original-Received: from localhost (114-99-248-162-static.reverse.queryfoundry.net [162.248.99.114]) (Authenticated sender: kelly@prtime.org) by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id C198841C06A; Tue, 6 Jan 2015 07:38:56 +0100 (CET) In-reply-to: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:98062 Archived-At: Richard Stallman wrote: > What do we need to do on ftp.gnu.org to avoid these dangers? It depends on what you expect the user's responsibility to be. If you expect him to know the latest version number of a package (without relying on the gnu.org webserver to find out, in case it's compromised), and you expect him to manually verify that his download is the latest version (in addition to verifying the signature, of course), and you give him the ability to do this by always including both the name and the version number in your packages (so far as I'm aware, you already do) and never re-using version numbers (I think you're ok here too), then you have no problem, so there's nothing you need to do. Otherwise, the problems and solution are the same as for package distribution systems in general, as detailed at https://www.cs.arizona.edu/stork/packagemanagersecurity/attacks-on-package-managers.html https://www.cs.arizona.edu/stork/packagemanagersecurity/otherattacks.html