[bug #58614] Verification/security issue because sha512sum may not exist

reproduce-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug #58614] Verification/security issue because sha512sum may not exist

From:	Mohammad Akhlaghi
Subject:	[bug #58614] Verification/security issue because sha512sum may not exist on host
Date:	Thu, 18 Jun 2020 15:27:58 -0400 (EDT)
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0

URL:
  <https://savannah.nongnu.org/bugs/?58614>

                 Summary: Verification/security issue because sha512sum may
not exist on host
                 Project: Reproducible paper template
            Submitted by: makhlaghi
            Submitted on: Thu 18 Jun 2020 08:27:57 PM BST
                Category: Software
                Severity: 3 - Normal
              Item Group: Enhancement
                  Status: Postponed
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

While working on task #15686, I noticed a security/verification bootstrapping
bug:

'sha512sum' is installed inside of Maneage as part of GNU Coreutils (at least
on GNU/Linux systems). Before that, there is no guarantee that sha512sum
actually exists on the host.

Hence, this is what we currently do: we check if 'sha512sum' exists in the
PATH (which includes the host's PATH in 'basic.mk'). If it exists we use it to
verify that the imported tarball is the correct one. Otherwise we don't check
the tarball checksum and simply trust it! This will be the most likely
problem.

A highly unlikely (yet possible!) scenario is if someone has a malicious
intent. They can replace the 'sha512sum' in PATH with something that
automatically extracts the checksum in the project and returns it, thus
fooling the project to build what ever tarball they like.

One partial step would be to actually check the 'sha512sum' executable at
configure time and print a huge warning if it isn't present or doesn't operate
properly.

Maneage is primarily for scientific purposes and doesn't require root
permissions. As discussed in Comment 1 of task 15696
<https://savannah.nongnu.org/task/?15696#comment1>, the probability that a
malicious intent would be present is low. But besides security, it does cause
a problem with the validity checks of the tarballs (which is also being partly
addressed by using Zenodo as the default server in task #15686).

But I just wanted to bring this up here so we find a good solution....






    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?58614>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[bug #58614] Verification/security issue because sha512sum may not exist on host, Mohammad Akhlaghi <=
- [bug #58614] Verification/security issue because sha512sum may not exist on host, Mohammad Akhlaghi, 2020/06/18

Prev by Date: [task #15698] New software (versions)
Next by Date: [bug #58614] Verification/security issue because sha512sum may not exist on host
Previous by thread: [task #15698] New software (versions)
Next by thread: [bug #58614] Verification/security issue because sha512sum may not exist on host
Index(es):
- Date
- Thread