Package: emacs24 Version: 24.5+1-6+b1 Severity: serious Tags: security Justification: 5(b) of https://release.debian.org/testing/rc_policy.txt
Debian's emacs builds are linked against gnutls: (gnutls-available-p) t By default, they aren't configured to validate TLS certificates, leaving users open to trivial MITM attacks: (require 'gnutls) gnutls-verify-error nil (url-retrieve-synchronously "https://wrong.host.badssl.com";) #<buffer *http wrong.host.badssl.com:443*> (url-retrieve-synchronously "https://self-signed.badssl.com";) #<buffer *http self-signed.badssl.com:443*> Okay, fine, but at least it is easy to turn this on: (setq gnutls-verify-error t) There are even some nice docs explaining how and why to do this: https://glyph.twistedmatrix.com/2015/11/editor-malware.html (Short version: if you aren't using https for the package servers -- #797477 -- and haven't enabled TLS checking, and ever run package-install over coffee-shop wifi, then congratulations, you've just allowed anyone within wifi range to execute arbitrary code on your user account.) However, Debian's emacs24 somehow manages to be so broken that turning on cert verification via (setq gnutls-verify-error t) *doesn't work*. The docs say it should work, and explain in detail how to configure finding the CA trust store (this is configured correctly out-of-the-box on Debian). And sometimes I've even had it fail on https://wrong.host.badssl.com after setting this (but not always). However, it always happily loads https://self-signed.badssl.com, which means it's providing no protection at all against MITM attacks. Bottom line: even if you configure everything correctly, Debian's emacs will still happily execute whatever random code your barista gives you. The only way I've found to work around this and get a minimally-secure setup is to add the following extremely simple and obvious incantation to my .emacs: ;; Monkeypatch emacs so that it doesn't think gnutls is compiled in (if (fboundp 'gnutls-available-p) (fmakunbound 'gnutls-available-p)) ;; Force emacs to use gnutls-cli *without* the --insecure flag it ;; defaults to. (Note that the --x509cafile argument here depends on ;; your distro; this is correct for Debian.) (setq tls-program '("gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt -p %p %h")) ;; Not sure if this is necessary, but it certainly doesn't hurt (setq tls-checktrust t) and then doing 'apt install gnutls-bin'. -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.3.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages emacs24 depends on: ii emacs24-bin-common 24.5+1-6+b1 ii gconf-service 3.2.6-3 ii libacl1 2.2.52-3 ii libasound2 1.1.0-1 ii libatk1.0-0 2.18.0-1 ii libc6 2.21-9 ii libcairo-gobject2 1.14.6-1 ii libcairo2 1.14.6-1 ii libdbus-1-3 1.10.6-1 ii libfontconfig1 2.11.0-6.3 ii libfreetype6 2.6.1-0.1 ii libgconf-2-4 3.2.6-3 ii libgdk-pixbuf2.0-0 2.32.3-1.2 ii libgif7 5.1.2-0.2 ii libglib2.0-0 2.46.2-3 ii libgnutls30 3.4.9-2 ii libgomp1 5.3.1-8 ii libgpm2 1.20.4-6.1+b2 ii libgtk-3-0 3.18.7-1 ii libice6 2:1.0.9-1+b1 ii libjpeg62-turbo 1:1.4.2-2 ii libm17n-0 1.7.0-3 ii libmagickcore-6.q16-2 8:6.8.9.9-7+b1 ii libmagickwand-6.q16-2 8:6.8.9.9-7+b1 ii libotf0 0.9.13-3 ii libpango-1.0-0 1.38.1-1 ii libpangocairo-1.0-0 1.38.1-1 ii libpng12-0 1.2.54-3 ii librsvg2-2 2.40.11-2 ii libselinux1 2.4-3 ii libsm6 2:1.2.2-1+b1 ii libtiff5 4.0.6-1 ii libtinfo5 6.0+20151024-2 ii libx11-6 2:1.6.3-1 ii libxft2 2.3.2-1 ii libxinerama1 2:1.1.3-1+b1 ii libxml2 2.9.3+dfsg1-1 ii libxpm4 1:3.5.11-1+b1 ii libxrandr2 2:1.5.0-1 ii libxrender1 1:0.9.9-2 ii zlib1g 1:1.2.8.dfsg-2+b1 emacs24 recommends no packages. Versions of packages emacs24 suggests: pn emacs24-common-non-dfsg <none> -- no debconf information
