diff options
author | 2014-09-18 17:07:17 -0400 | |
---|---|---|
committer | 2014-09-18 17:26:12 -0400 | |
commit | 2fb7ad68637cc4e1092f835055a974f141808ca0 (patch) | |
tree | 7eb01f96fb0b8a98702826365f726340c1bc3ab9 /debian | |
parent | 0a4fbdf1713b32174b87ca212101d7928170dee3 (diff) |
glacier, S3: Fix bug that caused embedded creds to not be encypted using the remote's key.
encryptionSetup must be called before setRemoteCredPair. Otherwise,
the RemoteConfig doesn't have the cipher in it, and so no cipher is used to
encrypt the embedded creds.
This is a security fix for non-shared encryption methods!
For encryption=shared, there's no security problem, just an
inconsistentency in whether the embedded creds are encrypted.
This is very important to get right, so used some types to help ensure that
setRemoteCredPair is only run after encryptionSetup. Note that the external
special remote bypasses the type safety, since creds can be set after the
initial remote config, if the external special remote program requests it.
Also note that IA remotes never use encryption, so encryptionSetup is not
run for them at all, and again the type safety is bypassed.
This leaves two open questions:
1. What to do about S3 and glacier remotes that were set up
using encryption=pubkey/hybrid with embedcreds?
Such a git repo has a security hole embedded in it, and this needs to be
communicated to the user. Is the changelog enough?
2. enableremote won't work in such a repo, because git-annex will
try to decrypt the embedded creds, which are not encrypted, so fails.
This needs to be dealt with, especially for ecryption=shared repos,
which are not really broken, just inconsistently configured.
Noticing that problem for encryption=shared is what led to commit
cc54ff9e49260cd94f938e69e926a273e231ef4e, which tried to
fix the problem by not decrypting the embedded creds.
This commit was sponsored by Josh Taylor.
Diffstat (limited to 'debian')
-rw-r--r-- | debian/changelog | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index 91b2c8986..ffb760b7b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,8 @@ git-annex (5.20140916) UNRELEASED; urgency=medium + * Security fix for S3 and glacier when using embedcreds=yes with + encryption=pubkey or encryption=hybrid. + The creds embedded in the git repo were *not* encrypted. * assistant: Detect when repository has been deleted or moved, and automatically shut down the assistant. Closes: #761261 * Windows: Avoid crashing trying to list gpg secret keys, for gcrypt @@ -8,8 +11,6 @@ git-annex (5.20140916) UNRELEASED; urgency=medium (Bug introduced in version 5.20140817.) * add: In direct mode, adding an annex symlink will check it into git, as was already done in indirect mode. - * Fix reversion in handling creds with encryption=shared embedcreds=yes - introduced in 5.20140817. -- Joey Hess <joeyh@debian.org> Mon, 15 Sep 2014 14:39:17 -0400 |