From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 4EoLLgXLjWAQJgEAgWs5BA (envelope-from ) for ; Sat, 01 May 2021 23:41:25 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id gDGYKQXLjWDSEQAAbx9fmQ (envelope-from ) for ; Sat, 01 May 2021 21:41:25 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 2AA341A803 for ; Sat, 1 May 2021 23:41:25 +0200 (CEST) Received: from localhost ([::1]:42120 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lcxMa-0005Pj-Ah for larch@yhetil.org; Sat, 01 May 2021 17:41:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42624) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lcxME-0005NO-EW for bug-guix@gnu.org; Sat, 01 May 2021 17:41:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:55242) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lcxMD-0008Od-Vq for bug-guix@gnu.org; Sat, 01 May 2021 17:41:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lcxMD-0005rS-RP for bug-guix@gnu.org; Sat, 01 May 2021 17:41:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#48146: Getting diverted to non-updated branches: a limitation of the authentication mechanism? Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Sat, 01 May 2021 21:41:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 48146 X-GNU-PR-Package: guix X-GNU-PR-Keywords: security To: 48146@debbugs.gnu.org X-Debbugs-Original-To: bug-guix@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161990522622514 (code B ref -1); Sat, 01 May 2021 21:41:01 +0000 Received: (at submit) by debbugs.gnu.org; 1 May 2021 21:40:26 +0000 Received: from localhost ([127.0.0.1]:38553 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lcxLd-0005r4-TC for submit@debbugs.gnu.org; Sat, 01 May 2021 17:40:26 -0400 Received: from lists.gnu.org ([209.51.188.17]:42592) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lcxLc-0005qy-3x for submit@debbugs.gnu.org; Sat, 01 May 2021 17:40:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42534) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lcxLb-0004qV-Sj for bug-guix@gnu.org; Sat, 01 May 2021 17:40:23 -0400 Received: from laurent.telenet-ops.be ([2a02:1800:110:4::f00:19]:48774) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lcxLU-0007xV-HN for bug-guix@gnu.org; Sat, 01 May 2021 17:40:23 -0400 Received: from [172.20.10.4] ([213.119.201.119]) by laurent.telenet-ops.be with bizsmtp id zZgC240012b47od01ZgCDQ; Sat, 01 May 2021 23:40:12 +0200 Message-ID: From: Maxime Devos Date: Sat, 01 May 2021 23:40:01 +0200 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-9gxzzqhwCtITndA9DAW6" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1619905212; bh=6vz2LBIFef+buOEjAGWyf9qTvlARWkn/UGhTVhcPo40=; h=Subject:From:To:Date; b=Qb9C1WBNeq1o0ALvMTknBMISIN3urBitMLvcvSgB9M7elv2MbBHj7yPMD94bDz0of pEX6zybgZRJ1fVNfWb1AE8/xU+obBHg9RDYKJr09YdzqiQJOsFMiGfsJHGnR8yOvew QEABt+Rh064dCEJPIvw3rvAGBGK1vErhiJKYh6+uvk0zpvTTRM2FDr+wANwqWAknIv QW3a3wgb+6a9nz9iZMAW6tpawag6zzWANUcY4Y7eF5kOQ0VGUrG8xqvlTvkDM4enh2 tcpPX1tSUCtxLEp8UjxbhDhklOhNDN2Xjfgo/MpqXSXHTIDxOQVv829Go4LBSM9Qyw wLqFXsUXUVaKg== Received-SPF: pass client-ip=2a02:1800:110:4::f00:19; envelope-from=maximedevos@telenet.be; helo=laurent.telenet-ops.be X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1619905285; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=6vz2LBIFef+buOEjAGWyf9qTvlARWkn/UGhTVhcPo40=; b=BxXLEidUX8lQKcSE0RTXg89HBSWhKKMjnSrDbO7mBh1SpvEDKu4gNIVYn7qJ/W0r8zK+9L foUo269W3zCQBBCW6oZqB9qdZTDvIgfUsSi0W8u/A5denvhG37lSpBPSwts7/4Qk9/3UFB 7eIQsQnCk/1LUPgazkiUw3AjRzgh2v3dWdjO7/HChI/JKLdqqB78gNaI6hnmdgCd9xtIHU XJrLncGzVGLorYAlJlQz0yyPKDQ4BkoVCtuJ5iyAJ0l2+uwcnPeUdK6GdJt/TLz4QKyVZM BZq8YpBNu5dDa8BTjeTwuqQO4u1F0WK1Pkx7WVkP9TyPxTeuOL3K+4oq0gj/EA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1619905285; a=rsa-sha256; cv=none; b=ALtnrsF5Ujj3sa9I60VUn0R5LRxWC+gdGPctLoJS0GUItbprqOrVjvoobE7vheOnN/s33R /NeLVJMZja2cYBTUTrhansOI7kfUJygwOGmysWLgYIm0eZC5zHELy0cRxAM/7H3tO0zZFU 1D5wbeN4kyPSRDhbv5WsjM+97x9KeaVOMrWFb62C5yGaJTpfK9/nHTVIvo+jMQ4iWYWrnn p9ucimpzlA+grFvIbNvQSnhq0QzR2acCEr6f7rkNgkEGF+IRqeo2ZMNruySzf6sCXCY9ij +nPJ5knKKXiAE9KYxeWPX5HaRwuph1tzbPQPfYfgJh3h4jvO5BSkATO6Axd3Ig== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=Qb9C1WBN; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.46 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=telenet.be header.s=r21 header.b=Qb9C1WBN; dmarc=fail reason="SPF not aligned (relaxed)" header.from=telenet.be (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 2AA341A803 X-Spam-Score: -2.46 X-Migadu-Scanner: scn0.migadu.com X-TUID: 8OD9VRGjxa5I --=-9gxzzqhwCtITndA9DAW6 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Tags: + security Hi guix, Consider the following situation: Premises: 1. There are no known security vulnerabilities known to the attacker at the moment. 2. Thus, the attacker instead will try to trick the system of the user into not updating, and exploit vulnerabilities once they become known. 3. The user relies on unattended-service-type or similar for automatic up= grades. 4. The attacker can subvert the savannah repository, but cannot forge com= mit signatures. 5. The user is at commit A. There is a correctly-signed commit C on, say,= core-updates, such that: C comes after A, but C is not yet in master for the forese= able future. Method: 6. The attacker subverts savannah, replacing the tip of 'master' with 'C'= . To avoid detection, this subverted master is only served to the target= ted users. 7. The targetted users' systems' unattended-service-type do their equivalent of "guix pull && guix system reconfigure ...". 8. The targetted systems are now on core-updates, which does not receive = timely security updates. 9. On future automatic upgrades, the users' systems will stay on core-upd= ates, without any obvious indication something is wrong. (Aside from recomp= ilations, maybe the user's machine has 40GiB RAM, dozens of processors and sits = in some data centre where the user won't notice the sound of the fans.) 10. A vulnerability is discovered (and fixed) and there is a blog post or = something! The attacker is late to the party. 11. Unfortunately for the user, the automatic upgrade does not fix the vul= nerability on the user's system, as vulnerabilities are not patched on core-updat= es. 12. The attacker reads the blog post about the vulnerability on their own = leisure, and can take all time they need to exploit the users' systems. Proposal for a fix: 13. Find a volunteer to actually implement this. 14. When creating branches that do not receive timely security updates, such as wip-gnome, core-updates and staging, add a line Authentication-Allow-Automatic-Follow: no (core-updates) to the commit message. 15. When updating guix from a commit A to commit B, additionally verify whether there exists a path from A to B that does _not_ have a=20 Authentication-Allow-Automatic-Follow: no [branch] line. If no such path exists, bail out and tell the user something like: error: Refusing to switch to the branch 'branch'! This usually means someone is trying to trick you into not receiving timely security updates! Please report this incident to #guix on freenode, or at bug-guix@gnu.org. It is safe to simply run "guix pull" again later. 16. If there is a path from A to B that _does_ have a=20 Authentication-Allow-Automatic-Follow: no [branch] line, and another path that does _not_ have such a line, that means the branch has been merged, which is totally fine, so no error message is required in that case. 17. This proposal assumes the attacker eventually gives up, such that "guix pull" will work again before a vulnerability is found (and exploited) on 'master'. Greetings, Maxime. --=-9gxzzqhwCtITndA9DAW6 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYI3KsRccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7jZ+APwPa0s35fCNdDuO4iyCBmreghoV jgQhJr6loQ4MXPulJwEAiHYVRvw+xjzN5ifDXzUloz1EpveaZHsT3dbcJDeRaQQ= =VMkP -----END PGP SIGNATURE----- --=-9gxzzqhwCtITndA9DAW6--