Re: [RFC] General Resolution to deploy tag2upload
Luca Boccassi <bluca@debian.org> writes:
> On Wed, 12 Jun 2024 at 17:46, Russ Allbery <rra@debian.org> wrote:
>> I'm not sure that I understand what you're saying here, but if I did
>> understand this correctly, no, this is not correct. My security review
>> says the exact opposite of this: admin access to Salsa does not allow
>> you to bypass the tag2upload checks or upload a source package.
> Probably "push commits anyway" was a wrong oversimplification, what I
> was referring to was all the various "someone with admin access on
> Salsa" mentions on the document you shared.
Hm, I think you're referring to this section?
| - Administrative access to Salsa would make SHA-1 collision attacks
| easier, as discussed below. However, this still assumes the attacker
| is able to create Git trees with colliding hash digests.
|
| - Security vulnerabilities in the Git client used by the tag2upload
| source package construction sandbox could be exploited by a malicious
| Salsa Git server to compromise the VM and introduce malicious code
| into the source package it constructs. Since a malicious Git server
| could similarly be used to compromise the systems of the numerous
| Debian contributors who use Salsa via Git clients regularly, I don't
| believe this introduces substantial new risk, but it does create a new
| avenue of attack that is possibly less likely to be detected.
I think those are the only two places where administrative access to Salsa
helps attack tag2upload specifically. Those are the two that I mentioned
in the security review.
Administrative access to Salsa could be abused to do other things earlier
in the workflow unrelated to tag2upload, although a lot of them would be
easily detected by anyone with an existing Git checkout once they tried to
update it because they would require force pushes.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: