[SECURITY] dlang Artifacts are downloaded insecurely #5
Comments
|
hm I don't think the D download endpoint supports HTTPS but it has a GnuPG keyring and signatures with each release since 2.067.0. However on https://help.github.com/en/articles/software-in-virtual-environments-for-github-actions it doesn't list GnuPG as installed so I don't think we can verify it with pre-installed programs. Otherwise I don't know how we could verify the signatures |
|
I'm working on getting this resolved by requiring SHA-256 signatures if you are using HTTP instead of HTTPS. |
|
sha256 doesn't help much as we don't know full set of possible artifacts that may be downloaded. I'd look into downloading portable gpg binary and using that instead. |
|
I think it would be better trying to include some PGP library and try to parse the keyring they give us somehow and use it in typescript |
|
@WebFreak001 can you maybe also ask D upstream if it would be possible to add https to download.dlang.org? This looks like a simple oversight. |
|
died in the forums https://forum.dlang.org/post/[email protected] |
|
You can tell them that using https://letsencrypt.org/ is free. |
|
the download.dlang.org domain is an alias for their AWS bucket where I think were some problems. Directly using their bucket URL via HTTPS is possible but it's possible it would break in the future and adding in a fallback in case it's not valid anymore won't add any security because a MITM could just deny access to the HTTPS encrypted AWS bucket then |
|
Yeah, I intend to stick with gpg solution until github release artifacts are provided - haven't had any time in last few weeks to do it though. |
|
@WebFreak001 just checked and gpg binary is available on Windows CI vms out of the box, so this is a low-hanging fruit. Will submit a patch soon-ish. |
Fixes #5 DMD does not use HTTPS for download links, thus using GPG signature is necessary to avoid MitM. LDC currently does not need/provide those.
Fixes #5 DMD does not use HTTPS for download links, thus using GPG signature is necessary to avoid MitM. LDC currently does not need/provide those.
Fixes #5 DMD does not use HTTPS for download links, thus using GPG signature is necessary to avoid MitM. LDC currently does not need/provide those.
Fixes #5 DMD does not use HTTPS for download links, thus using GPG signature is necessary to avoid MitM. LDC currently does not need/provide those.
Fixes #5 DMD does not use HTTPS for download links, thus using GPG signature is necessary to avoid MitM. LDC currently does not need/provide those.
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-494: Download of Code Without Integrity Check
This project contain files that indicate that this project is resolving dependencies over HTTP instead of HTTPS. Any of these artifacts can be MITMed to maliciously compromise them and infect the build artifacts that were produced.
This vulnerability has a CVSS v3.0 Base Score of 8.1/10
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
This isn't just theoretical
POC code has existed since 2014 to maliciously compromise software downloaded inflight.
See:
MITM Attacks Increasingly Common
See:
Source Locations
The text was updated successfully, but these errors were encountered: