all messages for Emacs-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* bug#19565: Emacs vulnerable to endless-data attack (minor)
@ 2015-01-11 11:12 Kelly Dean
  2015-01-11 18:33 ` Richard Stallman
                   ` (2 more replies)
  0 siblings, 3 replies; 14+ messages in thread
From: Kelly Dean @ 2015-01-11 11:12 UTC (permalink / raw)
  To: 19565

A few days ago I speculated, but now I confirmed. It's technically considered a vulnerability, but in Emacs's case it's a minor problem; exploiting it would be more a prank than a real attack.

To demo locally for archive metadata:
echo -en 'HTTP/1.1 200 OK\r\n\r\n' > header
cat header /dev/urandom | nc -l -p 80

Then in Emacs:
(setq package-archives '(("foo" . "http://127.0.0.1/")))
M-x list-packages

Watch Emacs's memory usage grow and grow...

If you set some arbitrary limit on the size of archive-contents, then theoretically you break some legitimate ginormous elpa. And if you're getting garbage, you wouldn't know it until you've downloaded more garbage than the limit. The right way to fix it is to include the size of archive-contents in another file that can legitimately be constrained to a specified small maximum size, sign that file, and in the client, abort the archive-contents download if you get more data than you're supposed to.

The timestamp file that I proposed for fixing the metadata replay vuln (bug #19479) would be a suitable place to record the size; then no additional file (and signature) is needed just to solve endless-metadata. For the corresponding endless-data vuln for packages instead of metadata, I already put sizes in the package records in my patch for the package replay vuln.

Don't forget you need to set a maximum size not only on the timestamp file, but also on the signature file, or they would be vulnerable too. E.g. just hardcode 1kB.





^ permalink raw reply	[flat|nested] 14+ messages in thread

end of thread, other threads:[~2019-10-08 18:02 UTC | newest]

Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-01-11 11:12 bug#19565: Emacs vulnerable to endless-data attack (minor) Kelly Dean
2015-01-11 18:33 ` Richard Stallman
2015-01-11 21:18 ` Kelly Dean
2019-10-06  3:13 ` Stefan Kangas
2019-10-06 17:32   ` Eli Zaretskii
2019-10-07  1:51     ` Lars Ingebrigtsen
2019-10-07 12:50       ` Stefan Kangas
2019-10-07 16:13       ` Eli Zaretskii
2019-10-08 16:27         ` Lars Ingebrigtsen
2019-10-08 16:47           ` Eli Zaretskii
2019-10-08 16:50           ` Stefan Kangas
2019-10-08 17:22             ` Eli Zaretskii
2019-10-08 17:38               ` Stefan Kangas
2019-10-08 18:02                 ` Eli Zaretskii

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/emacs.git
	https://git.savannah.gnu.org/cgit/emacs/org-mode.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.