GNU bug report logs -
#53608
[PATCH 0/2] Rejecting commits unrelated to the introductory commit
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Fri, 28 Jan 2022 17:33:01 UTC
Severity: normal
Tags: patch, security
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello!
This patch series fixes a bug in the checkout authentication code:
it would be possible to authenticate a commit unrelated to the
introductory commit, provided that target commit passes the
authorization invariant (see the commit log for details).
Users of Guix and of third-party channels are safe: this bug does
not have any impact on checkout authentication in those cases.
What concrete cases are affected? Suppose someone forks Guix and
publishes a new channel introduction for their fork. The expectation
is that any branch started before the introductory channel, for
instance in the original Guix repo, would fail to be authenticated.
However, because of this bug, such a branch would be considered
authentic in the fork because all its commits pass the authorization
invariant (IOW, they are authentic in the original repository).
Thoughts?
Ludo'.
Ludovic Courtès (2):
git: Add 'commit-descendant?'.
git-authenticate: Ensure the target is a descendant of the
introductory commit.
doc/guix.texi | 4 ++-
guix/git-authenticate.scm | 17 ++++++++--
guix/git.scm | 24 +++++++++++++-
tests/channels.scm | 60 +++++++++++++++++++++++++++++++++-
tests/git-authenticate.scm | 44 +++++++++++++++++++++++++
tests/git.scm | 52 ++++++++++++++++++++++++++++-
tests/guix-git-authenticate.sh | 17 ++++++++--
7 files changed, 210 insertions(+), 8 deletions(-)
base-commit: 5052f76afd02e27d6484acf74c86bfa1b6f9cd0e
--
2.34.0
This bug report was last modified 3 years and 193 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.