GNU bug report logs -
#19479
Package manager vulnerable
Previous Next
Full log
Message #14 received at 19479 <at> debbugs.gnu.org (full text, mbox):
> If filenames include version numbers and the version numbers are never
> reused,
The ELPA system in general does not enforce that. But the GNU ELPA
scripts do, and other ELPA servers work in a way that should generally
make sure this is also the case.
> then your solution does prevent package replay attacks. Since Emacs
> packages already include a Version header (and the package name), you could
> actually do your proposed verification using that header, without changing
> the way signatures are currently made, which is a solution I addressed in my
> original emacs-devel message.
Indeed, I realized this just after I sent my message.
So we can fix this problem simply by changing package.el so as to check
that the name&version of the downloaded file match the name&version
contained therein.
Patch welcome.
> But remember, none of the above prevents metadata replay attacks. If the
> user himself is specifying the metadata (e.g. you manually request Emacs
> 24.4 because you know that's the latest version), then verification to
> prevent metadata replay attacks isn't the computer's job. But when the user
> just says to update some package(s) to the latest version, without
> specifying the version, then it is the computer's job. For this,
> put a timestamp of the archive-contents file into the file itself.
Agreed. It should be fairly easy to add a timestamp in there without
causing any backward incompatibility.
Stefan
This bug report was last modified 4 years and 203 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.