On Fri, Feb 26, 2016 at 09:34:33PM -0800, Nathaniel Smith wrote: > Package: emacs24 > Version: 24.5+1-6+b1 > Severity: serious > Tags: security > Justification: 5(b) of https://release.debian.org/testing/rc_policy.txt > > Debian's emacs builds are linked against gnutls: > > (gnutls-available-p) > t > > By default, they aren't configured to validate TLS certificates, > leaving users open to trivial MITM attacks: > > (require 'gnutls) > gnutls-verify-error > nil > > (url-retrieve-synchronously "https://wrong.host.badssl.com") > #<buffer *http wrong.host.badssl.com:443*> > (url-retrieve-synchronously "https://self-signed.badssl.com") > #<buffer *http self-signed.badssl.com:443*> > > Okay, fine, but at least it is easy to turn this on: > > (setq gnutls-verify-error t) > > There are even some nice docs explaining how and why to do this: > https://glyph.twistedmatrix.com/2015/11/editor-malware.html > (Short version: if you aren't using https for the package servers -- > #797477 -- and haven't enabled TLS checking, and ever run > package-install over coffee-shop wifi, then congratulations, you've > just allowed anyone within wifi range to execute arbitrary code on > your user account.) > > However, Debian's emacs24 somehow manages to be so broken that turning > on cert verification via (setq gnutls-verify-error t) *doesn't > work*. The docs say it should work, and explain in detail how to > configure finding the CA trust store (this is configured correctly > out-of-the-box on Debian). And sometimes I've even had it fail on > https://wrong.host.badssl.com after setting this (but not > always). However, it always happily loads > https://self-signed.badssl.com, which means it's providing no > protection at all against MITM attacks. > > Bottom line: even if you configure everything correctly, Debian's > emacs will still happily execute whatever random code your barista > gives you.
There don't appear to be any gnutls-specific patches in Debian's emacs24 package, so this is most definitely an upstream bug. Could you please report it upstream? Cheers, Moritz