From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Stefan Monnier <monnier@iro.umontreal.ca>
Newsgroups: gmane.emacs.bugs
Subject: bug#19479: Package manager vulnerable
Date: Sun, 04 Jan 2015 15:00:43 -0500
Message-ID: <jwvk3129vcv.fsf-monnier+emacsbugs@gnu.org>
References: <qRgJhF1EfrtAmBqmyTLGcOkoyCcHP7kWm6t8KBDxra2@local>
	<OYNAdwJtSjDBqdP8v3CmmCvPSb3L6y6lTYtZpQrTySr@local>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: ger.gmane.org 1420401689 5740 80.91.229.3 (4 Jan 2015 20:01:29 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Sun, 4 Jan 2015 20:01:29 +0000 (UTC)
Cc: 19479@debbugs.gnu.org
To: Kelly Dean <kelly@prtime.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Jan 04 21:01:23 2015
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Y7rMO-0001KO-3M
	for geb-bug-gnu-emacs@m.gmane.org; Sun, 04 Jan 2015 21:01:12 +0100
Original-Received: from localhost ([::1]:57922 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1Y7rMN-00061c-1N
	for geb-bug-gnu-emacs@m.gmane.org; Sun, 04 Jan 2015 15:01:11 -0500
Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:52786)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Y7rMJ-00061W-W1
	for bug-gnu-emacs@gnu.org; Sun, 04 Jan 2015 15:01:08 -0500
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Y7rMF-00011j-2B
	for bug-gnu-emacs@gnu.org; Sun, 04 Jan 2015 15:01:07 -0500
Original-Received: from debbugs.gnu.org ([140.186.70.43]:55476)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Y7rME-00011d-Vo
	for bug-gnu-emacs@gnu.org; Sun, 04 Jan 2015 15:01:03 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1Y7rME-0006uC-Hi
	for bug-gnu-emacs@gnu.org; Sun, 04 Jan 2015 15:01:02 -0500
X-Loop: help-debbugs@gnu.org
Resent-From: Stefan Monnier <monnier@iro.umontreal.ca>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Sun, 04 Jan 2015 20:01:02 +0000
Resent-Message-ID: <handler.19479.B19479.142040164826513@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 19479
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: security
Original-Received: via spool by 19479-submit@debbugs.gnu.org id=B19479.142040164826513
	(code B ref 19479); Sun, 04 Jan 2015 20:01:02 +0000
Original-Received: (at 19479) by debbugs.gnu.org; 4 Jan 2015 20:00:48 +0000
Original-Received: from localhost ([127.0.0.1]:36609 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1Y7rLz-0006tZ-Iw
	for submit@debbugs.gnu.org; Sun, 04 Jan 2015 15:00:47 -0500
Original-Received: from ironport2-out.teksavvy.com ([206.248.154.181]:51727)
	by debbugs.gnu.org with esmtp (Exim 4.80)
	(envelope-from <monnier@iro.umontreal.ca>) id 1Y7rLw-0006tQ-OJ
	for 19479@debbugs.gnu.org; Sun, 04 Jan 2015 15:00:45 -0500
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AqkPAOwQflRFpY0B/2dsb2JhbABbgwdSWYI1UIUKvl8bCoYZBAICgSQXAQEBAQEBfIQDAQEBAgEBAiAzIwULCxoCGA4CAhQUBA0kiEoJDb95llMBAQEBAQUBAQEBAQEYBIErjAuDBjMHgnWBUwWLAYoegjcFgT2WF4F4hBkhMAGCRgEBAQ
X-IPAS-Result: AqkPAOwQflRFpY0B/2dsb2JhbABbgwdSWYI1UIUKvl8bCoYZBAICgSQXAQEBAQEBfIQDAQEBAgEBAiAzIwULCxoCGA4CAhQUBA0kiEoJDb95llMBAQEBAQUBAQEBAQEYBIErjAuDBjMHgnWBUwWLAYoegjcFgT2WF4F4hBkhMAGCRgEBAQ
X-IronPort-AV: E=Sophos;i="5.07,502,1413259200"; d="scan'208";a="106532447"
Original-Received: from 69-165-141-1.dsl.teksavvy.com (HELO ceviche.home)
	([69.165.141.1])
	by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA;
	04 Jan 2015 15:00:44 -0500
Original-Received: by ceviche.home (Postfix, from userid 20848)
	id E704866100; Sun,  4 Jan 2015 15:00:43 -0500 (EST)
In-Reply-To: <OYNAdwJtSjDBqdP8v3CmmCvPSb3L6y6lTYtZpQrTySr@local> (Kelly Dean's
	message of "Thu, 01 Jan 2015 12:38:59 +0000")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.15
Precedence: list
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:97997
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/97997>

> For details, see my message with subject =E2=8C=9CEmacs package manager v=
ulnerable
> to replay attacks=E2=8C=9D to emacs-devel on 30 Dec 2014:
> https://lists.gnu.org/archive/html/emacs-devel/2014-12/msg02319.html

AFAICT, this vulnerability also applies to the way GNU packages are
distributed in ftp.gnu.org (i.e. as a tarball plus a .sig file).

Is that right?

> Executive summary to fix the vulnerabilities:

Another way to attack the problem is to include the file name along with
its content in "the thing that gets signed".
I.e. the signature shouldn't apply to the output of "cat <foo>" but to
the output of "echo <foo>; cat <foo>".

This way an attacker can't take <vulnerable>.tar along with
<vulnerable>.tar.sig and send them off as <safe>.tar along with
<safe>.tar.sig.


        Stefan