From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id YMBANYIBk2CtNgEAgWs5BA (envelope-from ) for ; Wed, 05 May 2021 22:35:14 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id aPP1MIIBk2BzMwAA1q6Kng (envelope-from ) for ; Wed, 05 May 2021 20:35:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 02DDC10E2C for ; Wed, 5 May 2021 22:35:14 +0200 (CEST) Received: from localhost ([::1]:32788 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1leOEi-0007TM-JU for larch@yhetil.org; Wed, 05 May 2021 16:35:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59750) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1leOEY-0007RQ-Ro for bug-guix@gnu.org; Wed, 05 May 2021 16:35:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:51016) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1leOEY-0007wH-Kq for bug-guix@gnu.org; Wed, 05 May 2021 16:35:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1leOEY-0004Gm-IA for bug-guix@gnu.org; Wed, 05 May 2021 16:35:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#48146: Getting diverted to non-updated branches: a limitation of the authentication mechanism? Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Wed, 05 May 2021 20:35:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48146 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: Maxime Devos Received: via spool by 48146-submit@debbugs.gnu.org id=B48146.162024686416394 (code B ref 48146); Wed, 05 May 2021 20:35:02 +0000 Received: (at 48146) by debbugs.gnu.org; 5 May 2021 20:34:24 +0000 Received: from localhost ([127.0.0.1]:34327 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1leODv-0004GM-PF for submit@debbugs.gnu.org; Wed, 05 May 2021 16:34:24 -0400 Received: from eggs.gnu.org ([209.51.188.92]:51328) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1leODt-0004GG-7Q for 48146@debbugs.gnu.org; Wed, 05 May 2021 16:34:21 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:32768) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1leODn-0007PN-GX; Wed, 05 May 2021 16:34:15 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=39508 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from ) id 1leODn-0006Pc-9Q; Wed, 05 May 2021 16:34:15 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: Date: Wed, 05 May 2021 22:34:13 +0200 In-Reply-To: (Maxime Devos's message of "Sat, 01 May 2021 23:40:01 +0200") Message-ID: <874kfgj4xm.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 48146@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1620246914; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=S2XRFQ7N1mWXxL6zvAbCZTgE2uRj/a3NYGzxT4wdVdk=; b=pQ7mjo/AX5ZWGPZdg2HDBDX8tpTst/H5D2uQ0B5IhcJ5I8yvnLrdQ0URnzfbNdfTf3JA8j iJ3MLHRGnqoqK3iykobsQHWvAcnkox0iFKWN1SPwC1u6B9FM8Us0v0TGVwZPfjW0qIAhGt ypMfxud5FFVy6TwoDbHQauF46FK2CYFD99QkuKD05gAe9ygkYgNJwA7MA7z6BhIpQxeYJN 3HV/3Va6drLkgfW0STEs8kcZVQmGE/T8So0+08Ec4myXE9BfyNefVVy5TZRfZK641kcWql PiB+dbgeGdtClrKh+G3ItBiyAxSVP/l2iVeZWSYyhFB9AdzbhWhLq0XDqpP5CQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1620246914; a=rsa-sha256; cv=none; b=rgHEB57q3PBa98+jz8c6GTuGlBVBG8eghM9MLQMaFzgbFV7GP7mo+JM2M3RlKegHh5QG7y eH3qazGImGLV30s4GLTQxUwrrc3kVtVJ/F/+b5ksIYs+yHwfF0be9A/aUFtyi3RD/kWM4D Ytg0nu50FSRKpgfGoPnlBVexZHEnkPwGNtup5cQf0KLkD+MA2T768FxqHAdV79T6ne680s gKqS9iQnA0J5dK2lCfjP2HtKd3+PwDP+qp+soUc3WID+/SWMA39eL/R7XgLm/n5UrAcDrH t/HBQ4zSuZGOlECyv+DOVsslFUjBlhDz5KrJi8d6iX/+eRu2PYeLJjt43RVFSA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.97 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 02DDC10E2C X-Spam-Score: -1.97 X-Migadu-Scanner: scn0.migadu.com X-TUID: mnR3B7e4isuM Hi Maxime, Maxime Devos skribis: > 5. The user is at commit A. There is a correctly-signed commit C on, sa= y, core-updates, > such that: C comes after A, but C is not yet in master for the fore= seable future. > > Method: > 6. The attacker subverts savannah, replacing the tip of 'master' with '= C'. > To avoid detection, this subverted master is only served to the targ= etted users. > 7. The targetted users' systems' unattended-service-type > do their equivalent of "guix pull && guix system reconfigure ...". > 8. The targetted systems are now on core-updates, which does not receiv= e timely > security updates. > 9. On future automatic upgrades, the users' systems will stay on core-u= pdates, > without any obvious indication something is wrong. (Aside from reco= mpilations, > maybe the user's machine has 40GiB RAM, dozens of processors and sit= s in some > data centre where the user won't notice the sound of the fans.) > 10. A vulnerability is discovered (and fixed) and there is a blog post o= r something! > The attacker is late to the party. > 11. Unfortunately for the user, the automatic upgrade does not fix the v= ulnerability > on the user's system, as vulnerabilities are not patched on core-upd= ates. Note that the attacker doesn=E2=80=99t even need to do something as sophisticated as you describe: they can just tweak the repo such that the advertised tip of =E2=80=98master=E2=80=99 remains today=E2=80=99s comm= it for some time. The blog post Leo mentioned discusses this problem and it=E2=80=99s not addressed per se. If specific users are targeted, as in your scenario, it could be hard to detect. But then again, I=E2=80=99d argue it=E2=80=99s beyond our threat model: the= re are other ways, possibly easier, to target individuals. If we assume the attacker is not targeting specific individuals but rather the whole user base, the attack can still be carried out but it wouldn=E2=80=99t go undetected for long. The =E2=80=9Creference state log= =E2=80=9D mentioned in the blog post could help. > Proposal for a fix: > 13. Find a volunteer to actually implement this. > 14. When creating branches that do not receive timely security updates, > such as wip-gnome, core-updates and staging, add a line > > Authentication-Allow-Automatic-Follow: no (core-updates) > > to the commit message. > 15. When updating guix from a commit A to commit B, additionally verify > whether there exists a path from A to B that does _not_ have a=20 > > Authentication-Allow-Automatic-Follow: no [branch] > > line. If no such path exists, bail out and tell the user something > like: > > error: Refusing to switch to the branch 'branch'! > > This usually means someone is trying to trick you into > not receiving timely security updates! Please report this > incident to #guix on freenode, or at bug-guix@gnu.org. > > It is safe to simply run "guix pull" again later. > 16. If there is a path from A to B that _does_ have a=20 > > Authentication-Allow-Automatic-Follow: no [branch] > > line, and another path that does _not_ have such a line, > that means the branch has been merged, which is totally fine, > so no error message is required in that case. It=E2=80=99s an interesting idea. It addresses the scenario you described (redirecting users to a different branch) but it doesn=E2=80=99t address the more general indefinite freeze attack. I=E2=80=99m not sure it=E2=80=99s w= orth focusing on this special case. Something like the =E2=80=9Creference state log=E2= =80=9D would help address the general case. Thoughts? Thanks for thinking through it! Ludo=E2=80=99.