From patchwork Sun Mar 6 11:27:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Allan McRae X-Patchwork-Id: 2043 Return-Path: Delivered-To: patchwork@archlinux.org Received: from mail.archlinux.org [95.216.189.61] by patchwork.archlinux.org with IMAP (fetchmail-6.4.27) for (single-drop); Sun, 06 Mar 2022 11:27:23 +0000 (UTC) Received: from mail.archlinux.org by mail.archlinux.org with LMTP id 0BbzIJqaJGJJPQUAK+/4rw (envelope-from ) for ; Sun, 06 Mar 2022 11:27:22 +0000 Received: from lists.archlinux.org (lists.archlinux.org [95.217.236.249]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail.archlinux.org (Postfix) with ESMTPS id 64683DAC15E; Sun, 6 Mar 2022 11:27:21 +0000 (UTC) Received: from lists.archlinux.org (localhost [IPv6:::1]) by lists.archlinux.org (Postfix) with ESMTP id 3FD75DA67A1; Sun, 6 Mar 2022 11:27:21 +0000 (UTC) X-Original-To: pacman-dev@lists.archlinux.org Delivered-To: pacman-dev@lists.archlinux.org Received: from mail.archlinux.org (mail.archlinux.org [IPv6:2a01:4f9:c010:3052::1]) by lists.archlinux.org (Postfix) with ESMTPS id 8FC1EDA6791 for ; Sun, 6 Mar 2022 11:27:19 +0000 (UTC) From: Allan McRae DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=archlinux.org; s=dkim-ed25519; t=1646566039; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=nmSI2I8HPvxB0EIX8KONuoPLe6b+l0Ms7x0fFH2Odts=; b=tGv2CtAn5qzgiwMjhkAQg8B1jncvOQsep7odzaKZAKZzTG4A3I/oY7WgwXEAsBDhrx84gK 2CGsjCy/ayIfA/Bg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=archlinux.org; s=dkim-rsa; t=1646566039; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=nmSI2I8HPvxB0EIX8KONuoPLe6b+l0Ms7x0fFH2Odts=; b=Jx2OtJ4+jZsXM/idKmhWdesASdckAGyjBpvQa0qrGfCkOc54vG3fAhqB5nBMXDLwLIANq2 PIxMhtltf+2ZZDdEWseDUYrcBa35ZY92OMg/DdT0OSxvS+WagV4P/G2TKhlKTugNMdlmH6 VcuYNavOVarIn3yfKBgjQJ0id9bC4mOBt6m0IUCtVcqjRyaFey6d4RUyT5i/AY4fdXhGfH vYne/GZigw3gWHQO/4fl8aISMX61iZ5sF2u1W0+tjlFM/Q8775IJask1WQJDhUPkuDsxOB L5HQ/1kfIkU56Mm2aJCuHUR6lWl9DyjjfJViA648kFYoJiFZ0YEQZjTL4tCms4/wmbSb5E rmq3YMo23ymLu0kSHiQP1P+AkuHl6Is5dsLUfi5NybquQ1OzSWF0mA8H/3rDaqlwr9xIRL uW82fVptcT7QOIl7uZGvwihjwC2XJNakb+4h6JMMJegB2TJvQmZ11aFy3yApDod/r+qmQL zTzp1FFDqFMPKht4B7eOOgIlAxyUUWBCaXo5LSphQXcDtniLP0q2ENezz+whgLMeHxA7Rh ibIiZhcQ9azF29do4twUxYIW7UAGHmRnfXLzJZAGfvdyPm/XEFP9f6xsW2hhP7wF/RTG9v POLA0tt2nVKGKa+aw71iDTxFfZdIzCUiBhCxIn6xc8Wfav/btBSM0= To: pacman-dev@lists.archlinux.org Subject: [PATCH] Do not use WKD to import keys for package installs from a file Date: Sun, 6 Mar 2022 21:27:09 +1000 Message-Id: <20220306112709.2639263-1-allan@archlinux.org> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 X-BeenThere: pacman-dev@lists.archlinux.org X-Mailman-Version: 2.1.39 Precedence: list List-Id: Discussion list for pacman development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: pacman-dev-bounces@lists.archlinux.org Sender: "pacman-dev" X-Rspamd-Queue-Id: 64683DAC15E Authentication-Results: mail.archlinux.org; dkim=pass header.d=archlinux.org header.s=dkim-ed25519 header.b=tGv2CtAn; dkim=pass header.d=archlinux.org header.s=dkim-rsa header.b=Jx2OtJ4+; dmarc=pass (policy=none) header.from=archlinux.org; spf=pass (mail.archlinux.org: domain of pacman-dev-bounces@lists.archlinux.org designates 95.217.236.249 as permitted sender) smtp.mailfrom=pacman-dev-bounces@lists.archlinux.org X-Spamd-Result: default: False [-2.61 / 15.00]; DWL_DNSWL_MED(-2.00)[archlinux.org:dkim]; MID_CONTAINS_FROM(1.00)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; DMARC_POLICY_ALLOW(-0.50)[archlinux.org,none]; R_MISSING_CHARSET(0.50)[]; RCVD_IN_DNSWL_MED(-0.40)[2a01:4f9:c010:3052::1:received,95.217.236.249:from]; R_DKIM_ALLOW(-0.20)[archlinux.org:s=dkim-ed25519,archlinux.org:s=dkim-rsa]; MAILLIST(-0.20)[mailman]; R_SPF_ALLOW(-0.20)[+ip4:95.217.236.249:c]; MIME_GOOD(-0.10)[text/plain]; HAS_LIST_UNSUB(-0.01)[]; MIME_TRACE(0.00)[0:+]; NEURAL_HAM(-0.00)[-1.000]; ASN(0.00)[asn:24940, ipnet:95.217.0.0/16, country:DE]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; PREVIOUSLY_DELIVERED(0.00)[pacman-dev@lists.archlinux.org]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[archlinux.org:+]; TO_DN_NONE(0.00)[]; FROM_NEQ_ENVFROM(0.00)[allan@archlinux.org,pacman-dev-bounces@lists.archlinux.org]; RCPT_COUNT_ONE(0.00)[1]; FORGED_SENDER_MAILLIST(0.00)[] X-Rspamd-Server: mail.archlinux.org In order to use WKD in pacman -U/--upgrade operations, we need to get the packager information from the .PKGINFO within the package. That has obvious security implications. e.g. something like this could convince a user to download a different key to what they expect: packager = foo bar <>^[[2K^[[0G:: Import PGP key DEADBEEF, "foo While downloading an untrusted key has little impact due to the web-of-trust model used by pacman, this could be bad in combination with an exploit that allowed trust of keys in the keyring to be altered. To be safe, do not use WKD when installing using -U. Fixes FS#73703. Signed-off-by: Allan McRae --- lib/libalpm/be_package.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/lib/libalpm/be_package.c b/lib/libalpm/be_package.c index e837ffb8..203c98c1 100644 --- a/lib/libalpm/be_package.c +++ b/lib/libalpm/be_package.c @@ -721,7 +721,6 @@ int SYMEXPORT alpm_pkg_load(alpm_handle_t *handle, const char *filename, int ful int validation = 0; char *sigpath; alpm_pkg_t *pkg_temp; - char *packager; CHECK_HANDLE(handle, return -1); ASSERT(pkg != NULL, RET_ERR(handle, ALPM_ERR_WRONG_ARGS, -1)); @@ -747,13 +746,7 @@ int SYMEXPORT alpm_pkg_load(alpm_handle_t *handle, const char *filename, int ful char *key = k->data; if(_alpm_key_in_keychain(handle, key) == 0) { pkg_temp = _alpm_pkg_load_internal(handle, filename, full); - if(pkg_temp) { - packager = pkg_temp->packager; - - } else { - packager = NULL; - } - if(_alpm_key_import(handle, packager, key) == -1) { + if(_alpm_key_import(handle, NULL, key) == -1) { fail = 1; } _alpm_pkg_free(pkg_temp);