Julia: [security problem] By allowing to download the source code without checking cryptographic hash Julia subjects users to the possibility of MITM attacks

Created on 2 Apr 2018  路  10Comments  路  Source: JuliaLang/julia

For example, here is the URL of Tk: https://github.com/JuliaGraphics/Tk.jl/blob/master/deps/build.jl#L21
No cryptographic hash accompanies this URL. This means that anybody who has access to the network signal can substitute such file with a malicious copy.

As an example, R language also downloads packages, but they always check MD5 hash. Another example: every source FreeBSD downloads to build any port is always checked against sha256 fingerprints.

Please make cryptographic hash required for all downloads (both http and https).

picture yurivict

Most helpful comment

@StefanKarpinski, in this repository, we could enforce that all download calls during Pkg.build
do an SHA check, which would be more effective than filing issues in packages one by one.

picture stevengj on 2 Apr 2018
👍5 👎1

All 10 comments

It'd be more useful to submit an issue to the Tk.jl package github repository; there are two new Julia packages, BinaryBuilder.jl and BinaryProvider.jl which provide an updated workflow for building and installing secure binaries, which would solve this problem.

quinnj picture quinnj on 2 Apr 2018

Many modules have this problem. Here is another example: https://github.com/JuliaGraphics/Cairo.jl/blob/master/deps/build.jl#L101
This is a systemic problem in Julia, that's why I created it here. If I'll be chasing down individual packages, this will never be solved.

yurivict picture yurivict on 2 Apr 2018

Maybe Tk has to be removed from official repository and Pkg3/Pkg has to inform about this "banning" process and propose to uninstall it.

Liso77 picture Liso77 on 2 Apr 2018

Better would be to port these packages to the new build system that does hash checking. Help doing that is greatly appreciated.

KristofferC picture KristofferC on 2 Apr 2018
👍3

I think it would be better to enforce an SHA validation on all download calls during Pkg.build, as implemented in #26683.

stevengj picture stevengj on 2 Apr 2018
👍1

There doesn't seem to be anything to do in this repository, is there?

StefanKarpinski picture StefanKarpinski on 2 Apr 2018

Then you should forward it to the right repository.

yurivict picture yurivict on 2 Apr 2018

It seems you found the repository. Opening an issue there would be very helpful.

KristofferC picture KristofferC on 2 Apr 2018

@StefanKarpinski, in this repository, we could enforce that all download calls during Pkg.build
do an SHA check, which would be more effective than filing issues in packages one by one.

stevengj picture stevengj on 2 Apr 2018
👍5 👎1

Yes, it sounds like a great idea to enforce SHA checks for all Pkg.build calls.

yurivict picture yurivict on 3 Apr 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

omus picture omus  路  3Comments
manor picture manor  路  3Comments
iamed2 picture iamed2  路  3Comments
Keno picture Keno  路  3Comments
StefanKarpinski picture StefanKarpinski  路  3Comments