bug-cvs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [task #4633] GPG-Signed Commits


From: Jim Hyslop
Subject: Re: [task #4633] GPG-Signed Commits
Date: Wed, 21 Sep 2005 12:19:18 -0400
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)

Derek Price wrote:
Jim Hyslop wrote:

How about if CVS/Base contains the revision exactly as stored in the
RCS file (which will then allow the RCS keywords to be included in the
signature), and the server also sends a patch that expands the
keyword, which would be stored in a separate file, such as
.#filename.revision.kwd. Since these files contain only the patches
required (if any) to expand RCS keywords, the files will be fairly small.

Thoughts?



This was my original design actually, before I noticed the exploit, and
this is exactly the situation that can be exploited.  The point is that
the server supplies the content of that keyword file and not all of it
can be signed, so the content of your keyword info file, once
substituted into the verified file, could compromise it.

Either way, if the server is compromised, the local file ends up containing the exploit.

However, there is a difference: if CVS/Base contains the expanded keywords, then there is absolutely no way for me to validate the signature on my local copy of the file. If, on the other hand, CVS/Base contains the exact file as checked in by the user, I can validate the signature, and examine the keyword patch file to look for any irregularities. It's not a perfect solution, since I have to examine the keyword file manually, but it gets part way there.

--
Jim





reply via email to

[Prev in Thread] Current Thread [Next in Thread]