From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Stefan Monnier Newsgroups: gmane.emacs.bugs Subject: bug#19479: Package manager vulnerable Date: Sun, 04 Jan 2015 15:00:43 -0500 Message-ID: References: NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1420401689 5740 80.91.229.3 (4 Jan 2015 20:01:29 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 4 Jan 2015 20:01:29 +0000 (UTC) Cc: 19479@debbugs.gnu.org To: Kelly Dean Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Jan 04 21:01:23 2015 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1Y7rMO-0001KO-3M for geb-bug-gnu-emacs@m.gmane.org; Sun, 04 Jan 2015 21:01:12 +0100 Original-Received: from localhost ([::1]:57922 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y7rMN-00061c-1N for geb-bug-gnu-emacs@m.gmane.org; Sun, 04 Jan 2015 15:01:11 -0500 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:52786) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y7rMJ-00061W-W1 for bug-gnu-emacs@gnu.org; Sun, 04 Jan 2015 15:01:08 -0500 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Y7rMF-00011j-2B for bug-gnu-emacs@gnu.org; Sun, 04 Jan 2015 15:01:07 -0500 Original-Received: from debbugs.gnu.org ([140.186.70.43]:55476) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Y7rME-00011d-Vo for bug-gnu-emacs@gnu.org; Sun, 04 Jan 2015 15:01:03 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1Y7rME-0006uC-Hi for bug-gnu-emacs@gnu.org; Sun, 04 Jan 2015 15:01:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: Stefan Monnier Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 04 Jan 2015 20:01:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 19479 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security Original-Received: via spool by 19479-submit@debbugs.gnu.org id=B19479.142040164826513 (code B ref 19479); Sun, 04 Jan 2015 20:01:02 +0000 Original-Received: (at 19479) by debbugs.gnu.org; 4 Jan 2015 20:00:48 +0000 Original-Received: from localhost ([127.0.0.1]:36609 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y7rLz-0006tZ-Iw for submit@debbugs.gnu.org; Sun, 04 Jan 2015 15:00:47 -0500 Original-Received: from ironport2-out.teksavvy.com ([206.248.154.181]:51727) by debbugs.gnu.org with esmtp (Exim 4.80) (envelope-from ) id 1Y7rLw-0006tQ-OJ for 19479@debbugs.gnu.org; Sun, 04 Jan 2015 15:00:45 -0500 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AqkPAOwQflRFpY0B/2dsb2JhbABbgwdSWYI1UIUKvl8bCoYZBAICgSQXAQEBAQEBfIQDAQEBAgEBAiAzIwULCxoCGA4CAhQUBA0kiEoJDb95llMBAQEBAQUBAQEBAQEYBIErjAuDBjMHgnWBUwWLAYoegjcFgT2WF4F4hBkhMAGCRgEBAQ X-IPAS-Result: AqkPAOwQflRFpY0B/2dsb2JhbABbgwdSWYI1UIUKvl8bCoYZBAICgSQXAQEBAQEBfIQDAQEBAgEBAiAzIwULCxoCGA4CAhQUBA0kiEoJDb95llMBAQEBAQUBAQEBAQEYBIErjAuDBjMHgnWBUwWLAYoegjcFgT2WF4F4hBkhMAGCRgEBAQ X-IronPort-AV: E=Sophos;i="5.07,502,1413259200"; d="scan'208";a="106532447" Original-Received: from 69-165-141-1.dsl.teksavvy.com (HELO ceviche.home) ([69.165.141.1]) by ironport2-out.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 04 Jan 2015 15:00:44 -0500 Original-Received: by ceviche.home (Postfix, from userid 20848) id E704866100; Sun, 4 Jan 2015 15:00:43 -0500 (EST) In-Reply-To: (Kelly Dean's message of "Thu, 01 Jan 2015 12:38:59 +0000") User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.15 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:97997 Archived-At: > For details, see my message with subject =E2=8C=9CEmacs package manager v= ulnerable > to replay attacks=E2=8C=9D to emacs-devel on 30 Dec 2014: > https://lists.gnu.org/archive/html/emacs-devel/2014-12/msg02319.html AFAICT, this vulnerability also applies to the way GNU packages are distributed in ftp.gnu.org (i.e. as a tarball plus a .sig file). Is that right? > Executive summary to fix the vulnerabilities: Another way to attack the problem is to include the file name along with its content in "the thing that gets signed". I.e. the signature shouldn't apply to the output of "cat " but to the output of "echo ; cat ". This way an attacker can't take .tar along with .tar.sig and send them off as .tar along with .tar.sig. Stefan