[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#19479: Package manager vulnerable
|
From: |
Stefan Monnier |
|
Subject: |
bug#19479: Package manager vulnerable |
|
Date: |
Sun, 04 Jan 2015 15:00:43 -0500 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.0.50 (gnu/linux) |
> For details, see my message with subject ⌜Emacs package manager vulnerable
> to replay attacks⌝ to emacs-devel on 30 Dec 2014:
> https://lists.gnu.org/archive/html/emacs-devel/2014-12/msg02319.html
AFAICT, this vulnerability also applies to the way GNU packages are
distributed in ftp.gnu.org (i.e. as a tarball plus a .sig file).
Is that right?
> Executive summary to fix the vulnerabilities:
Another way to attack the problem is to include the file name along with
its content in "the thing that gets signed".
I.e. the signature shouldn't apply to the output of "cat <foo>" but to
the output of "echo <foo>; cat <foo>".
This way an attacker can't take <vulnerable>.tar along with
<vulnerable>.tar.sig and send them off as <safe>.tar along with
<safe>.tar.sig.
Stefan
- bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/01
- bug#19479: Package manager vulnerable,
Stefan Monnier <=
- bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/04
- bug#19479: Package manager vulnerable, Stefan Monnier, 2015/01/04
- bug#19479: [PATCH] Re: bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/07
- bug#19479: [PATCH] Re: bug#19479: Package manager vulnerable, Glenn Morris, 2015/01/07
- bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/08
- bug#19479: Package manager vulnerable, Stefan Monnier, 2015/01/08
- bug#19479: Package manager vulnerable, Kelly Dean, 2015/01/08
- bug#19479: Package manager vulnerable, Stefan Monnier, 2015/01/08
- bug#19479: Copyright issue (was: Re: bug#19479: Package manager vulnerable), Kelly Dean, 2015/01/09
- bug#19479: Copyright issue, Stefan Monnier, 2015/01/09