[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#19479: Package manager vulnerable
From: |
Noam Postavsky |
Subject: |
bug#19479: Package manager vulnerable |
Date: |
Mon, 07 Sep 2020 19:54:20 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.3 (windows-nt) |
Stefan Kangas <stefan@marxist.se> writes:
>
>> One more feature: include in each version of archive-contents a hash
[...]
> Does anyone understand how this would improve security in our case?
> AFAIU, it can help with APT since they support distributing package
> metadata in several files. ELPA uses only one file, so I'm not sure it
> would make much of a difference?
Not entirely, but there's a bit more detail on the emacs-devel thread
linked from the OP:
One final feature that isn't necessary for preventing any of the
vulnerabilities above, but still is helpful to make the historical record
even
more clear, is to include in each version of archive-contents a hash (and
length) of the previous version of that file. This further constrains an
attacker who has compromised the elpa key; he can still launch attacks, but
it's harder to keep the attacks secret for very long, since he's forced to
cause a fork in what's supposed to be a linear hash chain.
I think the idea is that if the attacker has the signing key and sends
out a bad version of archive-contents, it will be revealed as soon as
the victim gets a "good" version, since its previous-version hash won't
match. Except that only works if the user can expect to get all
versions of archive-contents, so maybe I've missed something.