[Secure-testing-team] Bug#816063: emacs24: TLS certificate validation is silently broken

Nathaniel Smith njs at pobox.com
Sat Feb 27 05:34:33 UTC 2016 

Package: emacs24
Version: 24.5+1-6+b1
Severity: serious
Tags: security
Justification: 5(b) of https://release.debian.org/testing/rc_policy.txt

Debian's emacs builds are linked against gnutls:

(gnutls-available-p)
t

By default, they aren't configured to validate TLS certificates,
leaving users open to trivial MITM attacks:

(require 'gnutls)
gnutls-verify-error
nil

(url-retrieve-synchronously "https://wrong.host.badssl.com")
#<buffer  *http wrong.host.badssl.com:443*>
(url-retrieve-synchronously "https://self-signed.badssl.com")
#<buffer  *http self-signed.badssl.com:443*>

Okay, fine, but at least it is easy to turn this on:

(setq gnutls-verify-error t)

There are even some nice docs explaining how and why to do this:
   https://glyph.twistedmatrix.com/2015/11/editor-malware.html
(Short version: if you aren't using https for the package servers --
#797477 -- and haven't enabled TLS checking, and ever run
package-install over coffee-shop wifi, then congratulations, you've
just allowed anyone within wifi range to execute arbitrary code on
your user account.)

However, Debian's emacs24 somehow manages to be so broken that turning
on cert verification via (setq gnutls-verify-error t) *doesn't
work*. The docs say it should work, and explain in detail how to
configure finding the CA trust store (this is configured correctly
out-of-the-box on Debian). And sometimes I've even had it fail on
https://wrong.host.badssl.com after setting this (but not
always). However, it always happily loads
https://self-signed.badssl.com, which means it's providing no
protection at all against MITM attacks.

Bottom line: even if you configure everything correctly, Debian's
emacs will still happily execute whatever random code your barista
gives you.

The only way I've found to work around this and get a minimally-secure
setup is to add the following extremely simple and obvious incantation
to my .emacs:

;; Monkeypatch emacs so that it doesn't think gnutls is compiled in
(if (fboundp 'gnutls-available-p)
    (fmakunbound 'gnutls-available-p))
;; Force emacs to use gnutls-cli *without* the --insecure flag it
;; defaults to. (Note that the --x509cafile argument here depends on
;; your distro; this is correct for Debian.)
(setq tls-program
      '("gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h"))
;; Not sure if this is necessary, but it certainly doesn't hurt
(setq tls-checktrust t)

and then doing 'apt install gnutls-bin'.

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages emacs24 depends on:
ii  emacs24-bin-common     24.5+1-6+b1
ii  gconf-service          3.2.6-3
ii  libacl1                2.2.52-3
ii  libasound2             1.1.0-1
ii  libatk1.0-0            2.18.0-1
ii  libc6                  2.21-9
ii  libcairo-gobject2      1.14.6-1
ii  libcairo2              1.14.6-1
ii  libdbus-1-3            1.10.6-1
ii  libfontconfig1         2.11.0-6.3
ii  libfreetype6           2.6.1-0.1
ii  libgconf-2-4           3.2.6-3
ii  libgdk-pixbuf2.0-0     2.32.3-1.2
ii  libgif7                5.1.2-0.2
ii  libglib2.0-0           2.46.2-3
ii  libgnutls30            3.4.9-2
ii  libgomp1               5.3.1-8
ii  libgpm2                1.20.4-6.1+b2
ii  libgtk-3-0             3.18.7-1
ii  libice6                2:1.0.9-1+b1
ii  libjpeg62-turbo        1:1.4.2-2
ii  libm17n-0              1.7.0-3
ii  libmagickcore-6.q16-2  8:6.8.9.9-7+b1
ii  libmagickwand-6.q16-2  8:6.8.9.9-7+b1
ii  libotf0                0.9.13-3
ii  libpango-1.0-0         1.38.1-1
ii  libpangocairo-1.0-0    1.38.1-1
ii  libpng12-0             1.2.54-3
ii  librsvg2-2             2.40.11-2
ii  libselinux1            2.4-3
ii  libsm6                 2:1.2.2-1+b1
ii  libtiff5               4.0.6-1
ii  libtinfo5              6.0+20151024-2
ii  libx11-6               2:1.6.3-1
ii  libxft2                2.3.2-1
ii  libxinerama1           2:1.1.3-1+b1
ii  libxml2                2.9.3+dfsg1-1
ii  libxpm4                1:3.5.11-1+b1
ii  libxrandr2             2:1.5.0-1
ii  libxrender1            1:0.9.9-2
ii  zlib1g                 1:1.2.8.dfsg-2+b1

emacs24 recommends no packages.

Versions of packages emacs24 suggests:
pn  emacs24-common-non-dfsg  <none>

-- no debconf information

More information about the Secure-testing-team mailing list