I've been working on a new way to sign archives, in preparation to a
change to pkg tools, with feedback from Theo and Tedu.
The actual problem happened in FreeBSD. They got a hole in their
gunzip pipeline a few weeks ago (rather subtle one). So if your
workflow is:
1/ fetch data -> 2/ uncompress it -> 3/ check signature -> 4/ process data
you've got TWO steps (1 and 2) that are relatively easy to tamper with,
with potentially deadly consequences.
The solution is to move the signature outside of the gzip header. New
workflow is
1/ fetch data -> 2/ check signature -> 3/ uncompress -> 4/ process data
Since step 1/ is privsep, as long as step 2 is airtight, 3/ and 4/
are no longer vulnerable.
Just committed some preliminary code into signify that allows that.
Guidelines:
- small, self-contained code to parse simple gzip headers
- signify-style signature in the gzip comment. Contains checksums of
64K blocks of the compressed archive
- don't even think about passing the original gzip header through
- use as a pipeline step: does not need to download full archive to
use it, and never ever pass any data to the gunzip part before it's been
verified.
Note that afaik we haven't had any hole in our gunzipping process. Well...
waiting for an accident to happen is not how we do things. Hopefully, this
should prevent future mishaps.
--
Marc
