Re: dependency-confusion
Am 21.02.21 um 23:08 schrieb Andrew Udvare: On 21/02/2021 16:43, Rene Engelhard wrote: And LibreOffice Online *does* use npm. So while LibreOffice itself shouldn't be affected, conceptually by using npm LibreOffce Online is. I think if you use 'npm install' (or 'yarn install'), the manager should be pulling in the correct version and then hash checking based on the contents of the .lock file. Running `npm update`, `npm install package>` or similar may be affected. It's not a bug in a package manager. It your insecure setup for internal packages / repositories. The real issue is when a new dependency gets added or updated but everything seems normal, in that the replacement dependency has stubs to not make the code crash, but also does nefarious things in the background. There would be no way to know without deep inspection, and npm dependency trees are usually huge. No. Hiding would be a bonus, but at this point the attacker already had RCE, which would compromise you, even if you detect it. This is all about hijacking (optional) known / public dependencies. But there are mitigations available. The attacked companies used some optional internal package. Normally they get this from an internal repo, but now someone hijacked the name in the official repo with a huge version number, so it would be preferred over the internal package. Result: pwned. The linked https://azure.microsoft.com/de-de/resources/3-ways-to-mitigate-risk-using-private-package-feeds/ is a good summary of mitigation strategies. But you need to provide a secure setup. That document omits Linux package managers and repositories, but the same attack and mitigations would apply to them. But since you normally can't just register a package in Linux distros, that risk is much lower. OTOH just imagine a malicious postinst script in a deb in some PPA. ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: dependency-confusion
On 21/02/2021 16:43, Rene Engelhard wrote: And LibreOffice Online *does* use npm. So while LibreOffice itself shouldn't be affected, conceptually by using npm LibreOffce Online is. I think if you use 'npm install' (or 'yarn install'), the manager should be pulling in the correct version and then hash checking based on the contents of the .lock file. Running `npm update`, `npm install package>` or similar may be affected. The real issue is when a new dependency gets added or updated but everything seems normal, in that the replacement dependency has stubs to not make the code crash, but also does nefarious things in the background. There would be no way to know without deep inspection, and npm dependency trees are usually huge. -- Andrew OpenPGP_signature Description: OpenPGP digital signature ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: dependency-confusion
Hi, Am 21.02.21 um 09:43 schrieb Andrew Udvare: >> On 2021-02-20, at 16:48, Jean-Baptiste Faure wrote: >> >> Hi, >> >> I certainly did not understand everything in >> https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610, but I >> wonder if LibreOffice could be subject to this kind of vulnerability? > As far as I can tell, the dependencies that LibreOffice uses in distributions > are gathered manually and updated manually. So, not really. It's not that easy. The question indeed doesn't make sense for LibreOffice itself. Still anything which uses those "get your dependencies randomly from some random place in random versions and save them into your tree" thingy like npm, pip etc. is a problem. And LibreOffice Online *does* use npm. So while LibreOffice itself shouldn't be affected, conceptually by using npm LibreOffce Online is. Regards, Rene ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
Re: dependency-confusion
> On 2021-02-20, at 16:48, Jean-Baptiste Faure wrote: > > Hi, > > I certainly did not understand everything in > https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610, but I > wonder if LibreOffice could be subject to this kind of vulnerability? As far as I can tell, the dependencies that LibreOffice uses in distributions are gathered manually and updated manually. So, not really. -- Andrew ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
dependency-confusion
Hi, I certainly did not understand everything in https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610, but I wonder if LibreOffice could be subject to this kind of vulnerability? Best regards JBF -- Seuls des formats ouverts peuvent assurer la pérennité de vos documents. ___ LibreOffice mailing list LibreOffice@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice
