From: Jason at zx2c4.com (Jason A. Donenfeld)
Subject: Security pitfalls of .tar.asc
Date: Thu, 5 Jul 2018 02:54:52 +0200 [thread overview]
Message-ID: <CAHmME9rRcvDHP9YE1FCp4apvh_CWcT0SAJ+sb088PkN4oa3vsQ@mail.gmail.com> (raw)
Hi list,
The upcoming cgit 1.2 release will have support for attaching .asc
signatures to tarballs. Adding a .tar.xz.asc is straightforward and
works as expected. But there's also display logic for showing .tar.asc
signatures next to .tar.xz files. The intent is to do something like
this:
$ curl -LO https://git.zx2c4.com/cgit/snapshot/cgit-1.1.tar.xz
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 86268 0 86268 0 0 122k 0 --:--:-- --:--:-- --:--:-- 123k
$ curl -LO https://git.zx2c4.com/cgit/snapshot/cgit-1.1.tar.asc
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 858 0 858 0 0 2150 0 --:--:-- --:--:-- --:--:-- 2177
$ unxz cgit-1.1.tar.xz
$ gpg --verify cgit-1.1.tar.asc
gpg: assuming signed data in 'cgit-1.1.tar'
gpg: Signature made Thu 05 Jul 2018 02:34:20 AM CEST
gpg: using RSA key AB9942E6D4A4CFC3412620A749FC7012A5DE03AE
gpg: issuer "jason at zx2c4.com"
gpg: Good signature from "Jason A. Donenfeld <Jason at zx2c4.com>" [ultimate]
This works fine, but there's something a bit troubling about it: it
means that users are instructed to run untrusted tarballs through
`unxz`, which is big and complicated and could have nasty
vulnerabilities. My understanding is that this is desired because
.tar.xz is not stable -- xz might do different things between versions
or compression levels -- whereas git considers its .tar output to be a
stable format. So I can see why it'd be desirable to host .tar.asc
instead of .tar.xz.asc. But from a security perspective, this might be
sub-optimal.
Thoughts?
Regards,
Jason
next reply other threads:[~2018-07-05 0:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-05 0:54 Jason [this message]
2018-07-05 6:58 ` list
2018-07-06 21:57 ` konstantin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAHmME9rRcvDHP9YE1FCp4apvh_CWcT0SAJ+sb088PkN4oa3vsQ@mail.gmail.com \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).