Bug#816063: emacs24: TLS certificate validation is silently broken

Thu, 10 Mar 2016 12:28:17 -0800 

On Fri, Feb 26, 2016 at 09:34:33PM -0800, Nathaniel Smith wrote:
> Package: emacs24
> Version: 24.5+1-6+b1
> Severity: serious
> Tags: security
> Justification: 5(b) of https://release.debian.org/testing/rc_policy.txt
> 
> Debian's emacs builds are linked against gnutls:
> 
> (gnutls-available-p)
> t
> 
> By default, they aren't configured to validate TLS certificates,
> leaving users open to trivial MITM attacks:
> 
> (require 'gnutls)
> gnutls-verify-error
> nil
> 
> (url-retrieve-synchronously "https://wrong.host.badssl.com";)
> #<buffer  *http wrong.host.badssl.com:443*>
> (url-retrieve-synchronously "https://self-signed.badssl.com";)
> #<buffer  *http self-signed.badssl.com:443*>
> 
> Okay, fine, but at least it is easy to turn this on:
> 
> (setq gnutls-verify-error t)
> 
> There are even some nice docs explaining how and why to do this:
>    https://glyph.twistedmatrix.com/2015/11/editor-malware.html
> (Short version: if you aren't using https for the package servers --
> #797477 -- and haven't enabled TLS checking, and ever run
> package-install over coffee-shop wifi, then congratulations, you've
> just allowed anyone within wifi range to execute arbitrary code on
> your user account.)
> 
> However, Debian's emacs24 somehow manages to be so broken that turning
> on cert verification via (setq gnutls-verify-error t) *doesn't
> work*. The docs say it should work, and explain in detail how to
> configure finding the CA trust store (this is configured correctly
> out-of-the-box on Debian). And sometimes I've even had it fail on
> https://wrong.host.badssl.com after setting this (but not
> always). However, it always happily loads
> https://self-signed.badssl.com, which means it's providing no
> protection at all against MITM attacks.
> 
> Bottom line: even if you configure everything correctly, Debian's
> emacs will still happily execute whatever random code your barista
> gives you.

There don't appear to be any gnutls-specific patches in Debian's
emacs24 package, so this is most definitely an upstream bug.

Could you please report it upstream?

Cheers,
        Moritz

Reply via email to