Luca Boccassi <bl...@debian.org> writes:
> On Wed, 12 Jun 2024 at 17:46, Russ Allbery <r...@debian.org> wrote:

>> I'm not sure that I understand what you're saying here, but if I did
>> understand this correctly, no, this is not correct.  My security review
>> says the exact opposite of this: admin access to Salsa does not allow
>> you to bypass the tag2upload checks or upload a source package.

> Probably "push commits anyway" was a wrong oversimplification, what I
> was referring to was all the various "someone with admin access on
> Salsa" mentions on the document you shared.

Hm, I think you're referring to this section?

| - Administrative access to Salsa would make SHA-1 collision attacks
|   easier, as discussed below. However, this still assumes the attacker
|   is able to create Git trees with colliding hash digests.
| 
| - Security vulnerabilities in the Git client used by the tag2upload
|   source package construction sandbox could be exploited by a malicious
|   Salsa Git server to compromise the VM and introduce malicious code
|   into the source package it constructs. Since a malicious Git server
|   could similarly be used to compromise the systems of the numerous
|   Debian contributors who use Salsa via Git clients regularly, I don't
|   believe this introduces substantial new risk, but it does create a new
|   avenue of attack that is possibly less likely to be detected.

I think those are the only two places where administrative access to Salsa
helps attack tag2upload specifically.  Those are the two that I mentioned
in the security review.

Administrative access to Salsa could be abused to do other things earlier
in the workflow unrelated to tag2upload, although a lot of them would be
easily detected by anyone with an existing Git checkout once they tried to
update it because they would require force pushes.

-- 
Russ Allbery (r...@debian.org)              <https://www.eyrie.org/~eagle/>

Reply via email to