[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#19479: Package manager vulnerable
From: |
Stefan Monnier |
Subject: |
bug#19479: Package manager vulnerable |
Date: |
Sun, 04 Jan 2015 21:16:00 -0500 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) |
> If filenames include version numbers and the version numbers are never
> reused,
The ELPA system in general does not enforce that. But the GNU ELPA
scripts do, and other ELPA servers work in a way that should generally
make sure this is also the case.
> then your solution does prevent package replay attacks. Since Emacs
> packages already include a Version header (and the package name), you could
> actually do your proposed verification using that header, without changing
> the way signatures are currently made, which is a solution I addressed in my
> original emacs-devel message.
Indeed, I realized this just after I sent my message.
So we can fix this problem simply by changing package.el so as to check
that the name&version of the downloaded file match the name&version
contained therein.
Patch welcome.
> But remember, none of the above prevents metadata replay attacks. If the
> user himself is specifying the metadata (e.g. you manually request Emacs
> 24.4 because you know that's the latest version), then verification to
> prevent metadata replay attacks isn't the computer's job. But when the user
> just says to update some package(s) to the latest version, without
> specifying the version, then it is the computer's job. For this,
> put a timestamp of the archive-contents file into the file itself.
Agreed. It should be fairly easy to add a timestamp in there without
causing any backward incompatibility.
Stefan
- bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/01
- bug#19479: Package manager vulnerable, Stefan Monnier, 2015/01/04
- bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/04
- bug#19479: Package manager vulnerable,
Stefan Monnier <=
- bug#19479: [PATCH] Re: bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/07
- bug#19479: [PATCH] Re: bug#19479: Package manager vulnerable, Glenn Morris, 2015/01/07
- bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/08
- bug#19479: Package manager vulnerable, Stefan Monnier, 2015/01/08
- bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/08
- bug#19479: Package manager vulnerable, Stefan Monnier, 2015/01/08
- bug#19479: Copyright issue (was: Re: bug#19479: Package manager vulnerable), Kelly Dean, 2015/01/09
- bug#19479: Copyright issue, Stefan Monnier, 2015/01/09
- bug#19479: Copyright issue, David Kastrup, 2015/01/09
- bug#19479: Copyright issue, Kelly Dean, 2015/01/09