Discussion:
[RCD] Cryptographic signatures for release tags or tarballs
Guilhem Moulin
9 years ago
Permalink
Hi there,

Your download page lists the SHA256 checksums of the tarballs to let
users verify the integrity of the downloaded file(s). To address a
different threat model and offer integrity verification of cryptographic
quality [0], please also consider signing your git tags (with ‘git tag
--sign’), and/or provide detached cryptographic signatures for the
future release tarballs.

As far as Debian is concerned a detached OpenPGP signature would be
preferable since our packaging tools can automatically download tarballs
and cryptographically verify their integrity in one go. Assuming you
have an OpenPGP key [1], an ASCII armored (.asc) detached signature can
be generated with

gpg --armor --detach-sign /path/to/roundcubemail-x.y.z.tar.gz


Completely unrelated, please note that the “1.1.3 — Dependent” tarball
includes moxieplayer.swf, while the last mention of moxieplayer in your
changelog says “TinyMCE security issue: removed moxieplayer (embedding
flv and mp4 is not supported anymore)”. Was it re-added by mistake?
(Anyway that file is violates the DFSG and will be removed from the
upcoming 1.1.3 Debian packages.)

Thanks!
Cheers,
--
Guilhem.

[0] Fair enough, your checksums are delivered over HTTPS. But an
attacker breaking into your web server could fool us all. On the
other hand cryptographic signatures raise the bar by far (assuming
they are generated on the devs' platform). Furthermore OpenPGP is
independent (and orthogonal) to the X.509 PKI in general, and to the
CA cartel in particular, hence address a different threat model.

[1] Otherwise there are numerous tutorials available online. The Debian
project has its own on http://keyring.debian.org/creating-key.html .
A.L.E.C
9 years ago
Permalink
Completely unrelated, please note that the “1.1.3 — Dependent” tarball
includes moxieplayer.swf, while the last mention of moxieplayer in your
changelog says “TinyMCE security issue: removed moxieplayer (embedding
flv and mp4 is not supported anymore)”. Was it re-added by mistake?
(Anyway that file is violates the DFSG and will be removed from the
upcoming 1.1.3 Debian packages.)
The file was re-added with update to TinyMCE 4.x. I don't know if it's
still vulnerable, the file is in a newer version according to git.

Thomas, do you remember what vulnerability it was?
--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer [http://kolab.org]
Roundcube Webmail Developer [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
Thomas Bruederli
9 years ago
Permalink
...
Finally I found it. I just forwarded the original report to you. And
here's a related commit which removed that file back in 2011:
https://github.com/roundcube/roundcubemail/commit/d6284b4d22d1e

According to this page http://cxsecurity.com/issue/WLB-2013070017
the vulnerability has been fixed in TinyMCE 4.0 which we have in Roundcube 1.1.

Cheer,
Thomas
A.L.E.C
9 years ago
Permalink
Post by Thomas Bruederli
According to this page http://cxsecurity.com/issue/WLB-2013070017
the vulnerability has been fixed in TinyMCE 4.0 which we have in Roundcube 1.1.
And I couldn't reproduce the described issue anymore.
--
Aleksander 'A.L.E.C' Machniak
Kolab Groupware Developer [http://kolab.org]
Roundcube Webmail Developer [http://roundcube.net]
---------------------------------------------------
PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
Loading...