broken validation of dependency installer signature

Bug #1632502 reported by Jakub Wilk
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Pipelight
Fix Committed
Critical
Unassigned

Bug Description

This code is supposed to "ensure the signature is valid":

 if ! /usr/bin/gpg --batch --no-default-keyring --keyring "$PIPELIGHT_SHARE_PATH/sig-install-dependency.gpg" --decrypt "$tmpfile" > "$decfile"; then
  rm "$tmpfile"
  rm "$decfile"
  echo ""
  echo "ERROR: Failed to verify signature of the dependency-installer script" >&2
  return 1
 fi

"gpg --decrypt" does verify signature, but only if the file is actually signed.
If the file is not signed, gpg just happily decrypts it.

Proof-of-concept of a crafted dependency installer script that passes this signature check is attached.

Revision history for this message
Jakub Wilk (jwilk) wrote :
Changed in pipelight:
status: New → Triaged
importance: Undecided → Critical
Revision history for this message
Michael Müller (mqchael) wrote :

I can reproduce the behavior. Seems like we only tested it with invalid signatures and didn't pay enough attention to the gpg documentation. The issue itself shouldn't be sufficient for a MiM attack though. The file is downloaded via HTTPS and unless the repository gets hacked, no one should be able to remove the signature. Nevertheless, we should try to fix the bug.

The only problem is that we didn't plan any further releases since Firefox wants to remove NPAPI support at the end of the year. We for example would need to setup our build servers for Debian again, otherwise some users wouldn't get the fix. There are some open questions that need to be answered before we can publish a new version, so I fear it might take a bit before a fixed version gets released.

Revision history for this message
Michael Müller (mqchael) wrote :

The problem has been addressed in https://bitbucket.org/mmueller2012/pipelight/commits/c9fc745d46bedc2d7509dd87747f754a33cd5e04. Do you see any remaining issues with the new code?

In case you are wondering why I use a pipe in the updated code, some older versions of gpg searched for .sig or .asc files if no signature was found in the file itself. This would allow an attacker to put a forged signature into the temp directory (even though it should be pretty hard to guess the random file name). Passing the the content via a pipe should prevent this behavior.

Revision history for this message
Jakub Wilk (jwilk) wrote :

The new code looks good to me.

information type: Private Security → Public Security
Changed in pipelight:
status: Triaged → Fix Committed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.