From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id YjGkFwPSb2E89AAAgWs5BA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 20 Oct 2021 10:23:31 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id CK7SEgPSb2FPIQAAB5/wlQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Wed, 20 Oct 2021 08:23:31 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id F05FE8C43
	for <larch@yhetil.org>; Wed, 20 Oct 2021 10:23:30 +0200 (CEST)
Received: from localhost ([::1]:57002 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1md6sj-0006kS-Vd
	for larch@yhetil.org; Wed, 20 Oct 2021 04:23:29 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:44462)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <g@xelera.eu>) id 1md6sE-0006Um-Hn
 for guix-devel@gnu.org; Wed, 20 Oct 2021 04:22:58 -0400
Received: from ns13.heimat.it ([46.4.214.66]:50596)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <g@xelera.eu>) id 1md6s9-0005F4-Iv
 for guix-devel@gnu.org; Wed, 20 Oct 2021 04:22:57 -0400
Received: from localhost (ip6-localhost [127.0.0.1])
 by ns13.heimat.it (Postfix) with ESMTP id 68F1B3021BC;
 Wed, 20 Oct 2021 08:22:49 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at ns13.heimat.it
Received: from ns13.heimat.it ([127.0.0.1])
 by localhost (ns13.heimat.it [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id NdslivaC_yIS; Wed, 20 Oct 2021 08:22:47 +0000 (UTC)
Received: from bourrache.mug.xelera.it (unknown [93.56.162.169])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by ns13.heimat.it (Postfix) with ESMTPSA id 389553021BA;
 Wed, 20 Oct 2021 08:22:47 +0000 (UTC)
Received: from roquette.mug.biscuolo.net (roquette [10.38.2.14])
 by bourrache.mug.xelera.it (Postfix) with SMTP id B592513DA391;
 Wed, 20 Oct 2021 10:22:46 +0200 (CEST)
Received: (nullmailer pid 5528 invoked by uid 1000);
 Wed, 20 Oct 2021 08:22:46 -0000
From: Giovanni Biscuolo <g@xelera.eu>
To: zimoun <zimon.toutoune@gmail.com>,
 Ludovic =?utf-8?Q?Court=C3=A8s?= <ludovic.courtes@inria.fr>,
 guix-devel@gnu.org
Subject: Re: Tricking peer review
In-Reply-To: <86ee8hfm1k.fsf@gmail.com>
Organization: Xelera.eu
References: <874k9if7am.fsf@inria.fr> <86ee8hfm1k.fsf@gmail.com>
Date: Wed, 20 Oct 2021 10:22:45 +0200
Message-ID: <87czo0m7fu.fsf@xelera.eu>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: pass client-ip=46.4.214.66; envelope-from=g@xelera.eu;
 helo=ns13.heimat.it
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1634718211;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post; bh=S191KH7GBshPpgY+nLSAisJ4wDIOLd+plWFpvn+m1cQ=;
	b=TZXOY8krznBQ4GgGRm0NK4YOKM6vfIyfKHZYokMqvlRUaAKjbuJNyg5aoGlisBeAQRA5Ui
	YSqUGNHUwEUUryLg6pX6EYBkxZARkxgYYHjcKIDbnpE9kxsK8voKvLGLGFw56DIhVfxvDl
	oRxGExFizjZR6upY6X7SztHizs+uF9e7xy8RBycBYa33AtBxTl1UoQBa1kvlzLOZh6kkhv
	LBbZ7zs8xEAxdJlwdSJCltJmwC8vfuH0oCR3WDi/re9VdiiiBuhbL9N8OWZjJFO2AjYZiO
	vmvSRzc28vRrF6j3Hm8J98KBVcorDiERFVEnSGu1mNbzz4Oon4KHH2rHfg/SXA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634718211; a=rsa-sha256; cv=none;
	b=F3XvfEZsozk5Xj149TXZhJjc+Sqg2p+X1FNbmDLpn0ltft+91dRsif93EHB4WdvOr7fQEg
	Tkdyhe+zN3eAiCwXyaDDRhHRlqZgF1xiKsqc1pXo8D0dkM1gsfqIIZcIfLOyvyCqKNqTYc
	Js2tbQqXGuDtRiJMNHO85Jy0KYdcOrR++0MJqgicOlEcpR0v0TBq99xMCaIxZkNye13bu7
	HAKLHOIs3jowlHPe+ZjzhPAU2vLaOkBWSeR1Na5RnKW9SNIQkSSQJEEWxtXxhkzwiUk88z
	saDF28cn/t+C70f//p9Cem1qy/NmZtrspKsasxthI/hSM6RCiTTe8uq4x5yZKw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Spam-Score: -4.53
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org
X-Migadu-Queue-Id: F05FE8C43
X-Spam-Score: -4.53
X-Migadu-Scanner: scn0.migadu.com
X-TUID: ruQdfRBOM72J

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Simon and Ludovic,

very interesting thread, thank you!

I think the "final" result of this discussion should be condensed in a
few (one?) additional paragraphs in the Contributing section of the Guix
manual

zimoun <zimon.toutoune@gmail.com> writes:

[...]

>  - url-fetch: the attacker has to introduce the tarballs into SWH.
>    There is not so much means, from my understanding: SWH ingests
>    tarballs via loaders, for instance gnu.org or sources.json or
>    debian.org etc. Therefore the attacker has to introduce the malicious
>    code to these platforms.
>
>  - url-fetch without metadata (as your example), indeed, the reviewer
>    could be abused; mitigated by the fact that =E2=80=9Cguix lint=E2=80=
=9D spots the
>    potential issue.
>
>  - url-fetch with metadata: the attacker have to also corrupt
>    Diasarchive-DB.   Otherwise, the tarball returned by SWH will not
>    match the checksum.
>
>  - svn-fetch, hg-fetch, cvs-fetch: no attack possible, yet.
>
>  - git-fetch: it is the *real* issue.  Because it is easy for the
>    attacker to introduce malicious code into SWH (create a repo on
>    GitHub, click Save, done).  Then submit a package using it as you
>    did.  It is the same case as url-fetch without metadata but easier
>    for the attacker.  It is mitigated by =E2=80=9Cguix lint=E2=80=9D.

Well done Simon: AFAIU this is a complete analisys of the possible
"source" attacks, or is something missing?

> That=E2=80=99s said, if I am an attacker and I would like to corrupt Guix=
, then
> I would create a fake project mimicking a complex software.  For
> instance, Gmsh is a complex C++ scientific software.  The correct URL is
> <https://gmsh.info> and the source at
> <https://gitlab.onelab.info/gmsh/gmsh>.  Then, as an attacker, I buy the
> domain say gmsh.org

or onelab.org, onehab.info and also set up a https://onehab.info web
site identical to the legitimate one just to trick people

> and put a malicious code there.  Last, I send for
> inclusion a package using this latter URL.  The reviewer would be
> abused.
> That=E2=80=99s why more eyes, less issues. :-)

I agree, but eyes should also be aware of this class of possible attacks

>> Also, just because a URL looks nice and is reachable doesn=E2=80=99t mea=
n the
>> source is trustworthy either.  An attacker could submit a package for an
>> obscure piece of software that happens to be malware.  The difference
>> here is that the trick above would allow targeting a high-impact
>> package.
>
> I agree.

I also agree (obviously) and I think this kind of attack should also be
documented in the manual (if not already done)

[...]

Thanks! Gio'

=2D-=20
Giovanni Biscuolo

Xelera IT Infrastructures

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJABAEBCgAqFiEERcxjuFJYydVfNLI5030Op87MORIFAmFv0dUMHGdAeGVsZXJh
LmV1AAoJENN9DqfOzDkSlYMP+wSrTFWI08XaXmwWGtH7zN9Oo8t+owjNyKpfFImw
MIfzwQ/z0v3mKwarHugXbp4VINyWmerUptDFhAgKBIbVobZZvFrYilqFO0zkvEYj
o72zofp/U3IhxBOoe0VHvMcO4wVyDS/55Lm65DkhbOk1mLcBwn0GBcmWJKm/mAR6
IE8htmdQhmPqXoWEaa4yPGaTjzPouMsG8JHrv3KTT7uNf2BaHbJD7GXUYJw4f21b
SnjWNzcLIvjWE66o4APWgL/1HvqHIMkT4i0GP33p5SCtdc6reize9LabDvyueSQE
ZJqOZU/uSI4D72tP2DBKbs1poWxyOuFSd8w7rdcbXi3mByaBErSYGYNmcx05HZIb
rnw33pEW8GcALoQ/DSXQb0/vS5c4oBZVOY6VVtVQkxJsYgrzL+Mf082+5wKMcUPq
fIgRuTiLbC4jRZJl6/XXhL28MeK8CKoW2mYt4nt+nH4vysgeF/5CFShSbTRflGKG
LoZ3cbCY/Sl7a6+SYDem+GMkK4kGVed8hIZ2iqkLFmRS285iPwBX4wz2UmYJul3S
FcCeV7b52bEiQq6DJ+TweohXgsLIH/HoI9CCM1B7E3m48IzTudYUp2wyLw2HD1qc
8+SNNGq3nAyqMBII/NIPXzAzRUgdh52EQ7kFw4YTPE1ajTsRnrgTjrMmkzCxJWMw
xpmz
=g8k3
-----END PGP SIGNATURE-----
--=-=-=--