[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#48146: Getting diverted to non-updated branches: a limitation of the
|
From: |
Maxime Devos |
|
Subject: |
bug#48146: Getting diverted to non-updated branches: a limitation of the authentication mechanism? |
|
Date: |
Sat, 01 May 2021 23:40:01 +0200 |
|
User-agent: |
Evolution 3.34.2 |
Tags: + security
Hi guix,
Consider the following situation:
Premises:
1. There are no known security vulnerabilities known
to the attacker at the moment.
2. Thus, the attacker instead will try to trick the system
of the user into not updating, and exploit vulnerabilities
once they become known.
3. The user relies on unattended-service-type or similar for automatic
upgrades.
4. The attacker can subvert the savannah repository, but cannot forge commit
signatures.
5. The user is at commit A. There is a correctly-signed commit C on, say,
core-updates,
such that: C comes after A, but C is not yet in master for the foreseable
future.
Method:
6. The attacker subverts savannah, replacing the tip of 'master' with 'C'.
To avoid detection, this subverted master is only served to the targetted
users.
7. The targetted users' systems' unattended-service-type
do their equivalent of "guix pull && guix system reconfigure ...".
8. The targetted systems are now on core-updates, which does not receive
timely
security updates.
9. On future automatic upgrades, the users' systems will stay on core-updates,
without any obvious indication something is wrong. (Aside from
recompilations,
maybe the user's machine has 40GiB RAM, dozens of processors and sits in
some
data centre where the user won't notice the sound of the fans.)
10. A vulnerability is discovered (and fixed) and there is a blog post or
something!
The attacker is late to the party.
11. Unfortunately for the user, the automatic upgrade does not fix the
vulnerability
on the user's system, as vulnerabilities are not patched on core-updates.
12. The attacker reads the blog post about the vulnerability on their own
leisure,
and can take all time they need to exploit the users' systems.
Proposal for a fix:
13. Find a volunteer to actually implement this.
14. When creating branches that do not receive timely security updates,
such as wip-gnome, core-updates and staging, add a line
Authentication-Allow-Automatic-Follow: no (core-updates)
to the commit message.
15. When updating guix from a commit A to commit B, additionally verify
whether there exists a path from A to B that does _not_ have a
Authentication-Allow-Automatic-Follow: no [branch]
line. If no such path exists, bail out and tell the user something
like:
error: Refusing to switch to the branch 'branch'!
This usually means someone is trying to trick you into
not receiving timely security updates! Please report this
incident to #guix on freenode, or at bug-guix@gnu.org.
It is safe to simply run "guix pull" again later.
16. If there is a path from A to B that _does_ have a
Authentication-Allow-Automatic-Follow: no [branch]
line, and another path that does _not_ have such a line,
that means the branch has been merged, which is totally fine,
so no error message is required in that case.
17. This proposal assumes the attacker eventually gives up,
such that "guix pull" will work again before a vulnerability
is found (and exploited) on 'master'.
Greetings,
Maxime.
signature.asc
Description: This is a digitally signed message part
- bug#48146: Getting diverted to non-updated branches: a limitation of the authentication mechanism?,
Maxime Devos <=