I've updated the version of setup.exe at <http://cygwin.com/setup.exe> to
version 2.573.2.3.
This version incorporates major new security-related features and
a number of bug fixes, as listed below.
No action is required by maintainers of standard Cygwin mirrors, but
maintainers of customised package repositories will need to take action.
Please see the "Custom Mirrors" section below for more information.
SECURITY ISSUES
===============
This release fixes the security vulnerability CVE-2008-3323 identified by
Derek Callaway of Security Objectives.[1][2][3] Derek observed that there
was no protection against either a corrupt mirror or a DNS hijacker or other
MitM feeding a modified setup.ini file to setup.exe and thereby causing it
to download and install a maliciously-modified package tarball.
To verify that users are not fed a malicious setup.ini, we have instituted
GPG signing of setup.ini, setup.bz2, and their -1.7 equivalents on the
Cygwin.com website. Setup.exe now contains a public key, and verifies any
of the setup index files it downloads against that key. If an index file
fails to verify, or no .sig file is present on the mirror, setup.exe refuses
to accept the untrusted index file.
By guaranteeing that setup.exe only accepts genuine index files, we can
guarantee the md5sums in those index files are untampered; as setup.exe
verifies the md5sums of downloaded packages against those indicated in the
setup index file and rejects any that don't match as corrupt downloads,
Cygwin users are protected against a malicious mirror attempting to
manipulate either/and/or/both package tarballs and setup index files.
The public key used in signing these files is appended below; it can be
cut and pasted from this email into "gpg --import" at the command-line. It
can also be used to verify setup.exe itself, which is also signed on
cygwin.com.[4]
If we, from time to time, need to change this key, we will release a new
version of setup.exe and make announcements on the cygwin and
cygwin-announce mailing lists, and on the cygwin.com website.
CUSTOM MIRRORS
==============
Maintainers of standard mirrors of the upstream cygwin.com/sourceware.org
public repository need take no action. There will be no impact from these
changes apart from the presence of the new .sig files alongside the existing
setup.ini/setup.bz2 et. al.
Maintainers of customised repositories will be impacted. Read on for
details and mitigation.
Without taking action, the new version of setup.exe will refuse to install
from your repositories when it fails to find a valid signature for your
customised setup.ini files. There are a number of option open to you and
your users to deal with this situation.
Unfortunately this is only the first release of this feature and currently
requires the use of command-line options to modify the
signature-verification behaviour; we apologise for the pressure of time and
manpower resources that has not allowed us to develop more user-friendly
features initially, and would like to work with package repository
maintainers to improve the usability of future versions of setup.exe for
them and their users. Please direct suggestions for improved mechanisms,
bug-reports, and (especially!) offers of help to the cygwin-apps list.
This list summarizes the main possibilities, in decreasing order of
worstness:
1) Tell your users that they must retain and use an old version of
setup.exe to access your mirror. This old version will not complain about
the lack of signature files.
2) Tell your users to supply the new -X (--no-verify) command-line flag
when using setup.exe to download from your mirror. This can be added into
the command-line invocation in a Windows shortcut, for convenience.
3) Start signing your custom-generated setup.ini and setup.bz2 files with
gpg, and either
- i) Convert your public key to s-expr format using the script
gpg-key-to-s-expr.sh from the setup.exe sources[5] (requires an installation
of pgpdump[6]), distribute it to your users, and ask them to specify it as
the argument to the -S command-line option (can be done using a shortcut to
save repetition).
- ii) Convert your public key to s-expr format, distribute it to your
users, and tell them either to use the -S option once to load it into the
untrusted keys cache and the -U option subsequently.
- iii) Distribute your public key file to users in binary gpg format, and
tell them to use the -K command-line option to point at it, either every
time, or just initially to load it into the untrusted keys cache, followed
by use of -U on subsequent occasions.
We're aware that this is not entirely convenient, but the security relies
on users to only knowingly accept keys; if we had setup.exe just look for a
key file on the mirror itself, it would no longer protect against a corrupt
mirror. We look forward to working with you to make it more convenient for
both you and your users.
NEW FEATURES
============
- Signature verification of setup index files.
NEW COMMAND-LINE OPTIONS
========================
-X --no-verify Don't verify setup.ini signatures
-K --pubkey Path to extra public key file (gpg
format)
-S --sexpr-pubkey Extra public key in s-expr format
-u --untrusted-keys Use untrusted keys from
last-extrakeys
-U --keep-untrusted-keys Use untrusted keys and retain all
MINOR BUGFIXES
==============
- Revert to using the original "setup_9x.ini" filename for (no-longer
supported) Win9X installations.
- Fix for potential crash with missing package-cache files.
- Fix for crashes caused by corrupted package listing files.
- Fix for potential double-free crash bug.
REFERENCES
==========
[1] - http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3323
[2] - http://www.security-objectives.com/advisories/SECOBJADV-2008-02.txt
[3] - http://bugzilla.redhat.com/show_bug.cgi?id=449929
[4] - http://cygwin.com/setup.exe.sig
[5] -
http://cygwin.com/cgi-bin/cvsweb.cgi/setup/gpg-key-to-s-expr.sh?cvsroot=cygw
in-apps
(aka http://tinyurl.com/cygwin-gpg-key-to-s-expr)
[6] - http://www.mew.org/~kazu/proj/pgpdump/
[7] - http://www.pgpdump.net/
CYGWIN SETUP SIGNING PUBLIC KEY
===============================
This is the public half of the key used to sign Cygwin setup files. It
can be used to verify your initial download of setup.exe from the Cygwin
website; download the .sig file and the .exe to the same directory, and run
gpg --verify setup.exe.sig
from a Bash or other shell command-line. You can import the key to your gpg
keyring by running
gpg --import
and then cutting and pasting the public key block below directly into your
shell, or you can save this message to a text file and run
Primary key fingerprint: 1169 DF9F 2273 4F74 3AA5 9232 A9A2 62FF 6760 41BA
DSA key ID 676041BA
pub 1024D/676041BA 2008-06-13
uid Cygwin <cygwin@cygwin.com>
sub 1024g/A1DB7B5C 2008-06-13
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (Cygwin)
mQGiBEhS+m8RBAC5bn3n2yG0eqNlpg/D7DkZXQfFUBZN1D4sL/NsXKISQkA3FsiT
enDYDMFCy3NJiCDcihJprP2xs4Fc25MEcmJ4j9X93bCV4DtHv22qO1XWGkxr/XQJ
ZxYmUxFhezBOCZd+wXir0izIsGghR1+ei6i+vL4mRYy8wpMCKwf8X0qRywCg1l2J
a91PsTO6itVUACYMvKNFCHED/RenUG+kYRch9YHuDwG9LxkhgwSEZ0NIGUgZLHMY
HZDlcWBRoV6uPcqa2iKs8vvAENMcGWqo+fuRycGQ6+zlFn29IoHrcxMMM27VpifQ
91N5AqgSMPOIFkKse2VNFQ2jL4t1NfdQazRvZojwkXuYY9kB16h0Y2Zme1Pt5RgC
/wLhA/4lkttrs3ElzkAOZtrTwi7tCJnNR8/5VYnVd63NEGyAXk/qralUoQO+GNQf
ZXJUvCoYIhinHh7vzfqMT2l1gGi0FuSULX3dY5jsm0Vcu+f7XLlDoEurx1vDYCv+
9QABQDDPXuZJk55pDG1TQbvAFV8U6wWdCI5hBwcJsDfwLMzxN7QaQ3lnd2luIDxj
eWd3aW5AY3lnd2luLmNvbT6IXgQTEQIAHgUCSFL6bwIbAwYLCQgHAwIDFQIDAxYC
AQIeAQIXgAAKCRCpomL/Z2BBuncZAKCmfQS2ROcl9H8VaKmdMOB/loNRLwCfTqxf
W6L6ifl1uDwoH8t83PRjkRWIRgQQEQIABgUCSFL+qAAKCRBN0oLlajiMPmH+AKDB
vgDIxkX4PKEYOkXrwPgcKGdHowCg6tsG2Bqj3cSkoISe7f3J5v87f0+5AQ0ESFL6
cBAEAIqcw0vcqdTvuukm6oiRUxkQ/jrP+4w2FNKEK1sYG5+cbwVrf3ISTUrbTRbV
3Fz5npefwaLNlIUjVYCBBWL4PuUtL4cCrmbvMXabSYfz2qg/aqqw9xNa4G9GCdF4
j9AIZaV86UHElC1wZAHTvMEdgHs8ek9kb5rDDChUgyE+nXQ7AAMFA/4rXq6swR8m
/1O8nRgNkwDvas3DbUOIdoYoFPrN7e2LBuYWFDB+O2IUn6tAgHhDxpzO9vw58U5a
/z1zm63Lf9ybHDV4c3Rqie2u2oberj1KKStnn27KlGGvFY9kWe9WKh+ZN90/oqVG
BT4+obmTiwUmVJIUy4vSZDjC0VqZHLxdOIhJBBgRAgAJBQJIUvpwAhsMAAoJEKmi
Yv9nYEG6euAAniloWCmYSp4ULCHauEMbopO2jFlwAKCwlu0FsfcO/2+AresM67hC
SwxQ+g==
=XD1x
-----END PGP PUBLIC KEY BLOCK-----
cheers,
DaveK
--
Can't think of a witty .sigline today....
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
