GNU bug report logs - #19479
Package manager vulnerable

Previous Next

Package: emacs;

Reported by: Kelly Dean <kelly <at> prtime.org>

Date: Thu, 1 Jan 2015 12:40:02 UTC

Severity: important

Tags: security

Full log

View this message in rfc822 format

From: Stefan Monnier <monnier <at> iro.umontreal.ca>
To: Kelly Dean <kelly <at> prtime.org>
Cc: 19479 <at> debbugs.gnu.org
Subject: bug#19479: Package manager vulnerable
Date: Sun, 04 Jan 2015 15:00:43 -0500

> For details, see my message with subject ⌜Emacs package manager vulnerable
> to replay attacks⌝ to emacs-devel on 30 Dec 2014:
> https://lists.gnu.org/archive/html/emacs-devel/2014-12/msg02319.html

AFAICT, this vulnerability also applies to the way GNU packages are
distributed in ftp.gnu.org (i.e. as a tarball plus a .sig file).

Is that right?

> Executive summary to fix the vulnerabilities:

Another way to attack the problem is to include the file name along with
its content in "the thing that gets signed".
I.e. the signature shouldn't apply to the output of "cat <foo>" but to
the output of "echo <foo>; cat <foo>".

This way an attacker can't take <vulnerable>.tar along with
<vulnerable>.tar.sig and send them off as <safe>.tar along with
<safe>.tar.sig.


        Stefan
This bug report was last modified 4 years and 202 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.