[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #58614] Verification/security issue because sha512sum may not exist
From: |
Mohammad Akhlaghi |
Subject: |
[bug #58614] Verification/security issue because sha512sum may not exist on host |
Date: |
Thu, 18 Jun 2020 15:27:58 -0400 (EDT) |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0 |
URL:
<https://savannah.nongnu.org/bugs/?58614>
Summary: Verification/security issue because sha512sum may
not exist on host
Project: Reproducible paper template
Submitted by: makhlaghi
Submitted on: Thu 18 Jun 2020 08:27:57 PM BST
Category: Software
Severity: 3 - Normal
Item Group: Enhancement
Status: Postponed
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
While working on task #15686, I noticed a security/verification bootstrapping
bug:
'sha512sum' is installed inside of Maneage as part of GNU Coreutils (at least
on GNU/Linux systems). Before that, there is no guarantee that sha512sum
actually exists on the host.
Hence, this is what we currently do: we check if 'sha512sum' exists in the
PATH (which includes the host's PATH in 'basic.mk'). If it exists we use it to
verify that the imported tarball is the correct one. Otherwise we don't check
the tarball checksum and simply trust it! This will be the most likely
problem.
A highly unlikely (yet possible!) scenario is if someone has a malicious
intent. They can replace the 'sha512sum' in PATH with something that
automatically extracts the checksum in the project and returns it, thus
fooling the project to build what ever tarball they like.
One partial step would be to actually check the 'sha512sum' executable at
configure time and print a huge warning if it isn't present or doesn't operate
properly.
Maneage is primarily for scientific purposes and doesn't require root
permissions. As discussed in Comment 1 of task 15696
<https://savannah.nongnu.org/task/?15696#comment1>, the probability that a
malicious intent would be present is low. But besides security, it does cause
a problem with the validity checks of the tarballs (which is also being partly
addressed by using Zenodo as the default server in task #15686).
But I just wanted to bring this up here so we find a good solution....
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?58614>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
- [bug #58614] Verification/security issue because sha512sum may not exist on host,
Mohammad Akhlaghi <=