From: konstantin at linuxfoundation.org (Konstantin Ryabitsev)
Subject: Security pitfalls of .tar.asc
Date: Fri, 6 Jul 2018 17:57:15 -0400 [thread overview]
Message-ID: <20180706215715.GC21428@puremoods> (raw)
In-Reply-To: <CAHmME9rRcvDHP9YE1FCp4apvh_CWcT0SAJ+sb088PkN4oa3vsQ@mail.gmail.com>
On Thu, Jul 05, 2018 at 02:54:52AM +0200, Jason A. Donenfeld wrote:
> This works fine, but there's something a bit troubling about it: it
> means that users are instructed to run untrusted tarballs through
> `unxz`, which is big and complicated and could have nasty
> vulnerabilities. My understanding is that this is desired because
> .tar.xz is not stable -- xz might do different things between versions
> or compression levels -- whereas git considers its .tar output to be a
> stable format. So I can see why it'd be desirable to host .tar.asc
> instead of .tar.xz.asc. But from a security perspective, this might be
> sub-optimal.
>
> Thoughts?
I've had the same discussion with Debian folks a little while back,
which I won't rehash here -- see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882694#25
Worrying about vulnerabilities in unxz is valid, but xz is merely the
last tool in a whole chain of software a person would need to use to get
the tarball and the signature file to where they could run unxz and
gpg --verify. We'd also need to worry about curl/wget/firefox, the tcp
stack, the "ls" and "cp" commands, etc etc.
On the kernel.org side of things we offer sha256sums.asc file in each
directory specifically as a way to quickly verify file integrity before
running unxz (but you still have to download that file, so the caution
about wget/curl/firefox/etc/etc remains :)).
-K
prev parent reply other threads:[~2018-07-06 21:57 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-05 0:54 Jason
2018-07-05 6:58 ` list
2018-07-06 21:57 ` konstantin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180706215715.GC21428@puremoods \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).