[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GPG-Signed Commits Exploit

From: Alexander Taler
Subject: GPG-Signed Commits Exploit
Date: Thu, 29 Sep 2005 08:52:35 -0400

The design document implies that the GPG signature is made on the
full file as it is committed.  As a developer this bothers me,
because it means I'm signing other people's code, not just my
own.  Chewing on this nagging doubt uncovered an exploit:

The attacker, Eve, needs shell (non-cvs) access to the
repository, (which can be assumed, since CVS has not been fully
audited for security), as well as commit access, possibly through
a compromised key.  Eve commits malicious code in revision 1.18
of file foo.c, signed with Aaron's key which she has compromised.
Beth, an honest developer, commits revision 1.19 of file foo.c,
signed with her uncompromised key.  Eve then returns to the scene
of the crime, and modifies revision 1.18 to be merely an
innocuous change.  Later on, it is discovered that Aaron's key
was compromised, and all of his commits are audited, and found to
be acceptable.  But the change lives on in Beth's commit.

This scenario would be avoided if the actual diff being committed
were signed instead of/as well as the complete file.


PS Is there a difference between bug-cvs@gnu.org and bug-cvs@nongnu.org?

https://savannah.gnu.org/projects/libcvs-spec    Access CVS through a library.
PGP:  ID: 0x23DC453B  FPR: 42D0 66C2 9FF8 553A 373A  B819 4C34 93BA 23DC 453B
The pimp's trade must be carried out by intelligent people, is essential to any
well-ordered society, and should have an official inspector.  -- Don Quixote

reply via email to

[Prev in Thread] Current Thread [Next in Thread]