GNU bug report logs -
#60782
Channels and dependency confusion
Previous Next
Full log
Message #18 received at 60782 <at> debbugs.gnu.org (full text, mbox):
Hi,
On lun., 16 janv. 2023 at 10:00, Ludovic Courtès <ludovic.courtes <at> inria.fr> wrote:
>> Well, the assumption for a similar attack using Guix channels is that
>> the user first adds the channel to their channel list. Therefore, they
>> trust what they consider able to be trust. ;-)
>
> Right, users would have to explicitly add the offending channel to their
> channel list in the first place. (And there are many other ways channel
> code could mess up with one’s machine.)
To be precise, the user must add a compromised channel; either
compromised by the packages which this channel offers or either by some
dependencies channel of this very same channel.
For instance, consider the user adds the channel guix-bimsb which
contains this .guix-channel [1] file:
--8<---------------cut here---------------start------------->8---
(channel
(version 0)
(dependencies
(channel
(name guix-past)
(url "https://gitlab.inria.fr/guix-hpc/guix-past"))
(channel
(name guix-science)
(url "https://github.com/guix-science/guix-science.git"))))
--8<---------------cut here---------------end--------------->8---
Here, the user could be compromised if the attacker is able to
compromise guix-past or guix-science. The user who trusts guix-bimsb is
maybe not aware of this recursive dependencies; but because they trust
guix-bimsb in the first place, somehow it means they trust people behind
guix-bimsb to check that guix-past or guix-science is not compromised.
Well, somehow it is a web of trust.
And if all channels are using authentication, then the attack is hard,
no?
1: <https://github.com/BIMSBbioinfo/guix-bimsb/blob/master/.guix-channel>
Cheers,
simon
This bug report was last modified 2 years and 192 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.