Bug 565410

Summary:	<sci-mathematics/octave-4.2.0: insecure internal package manager
Product:	Gentoo Security	Reporter:	Fedja Beader <fedja>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	fedja, sci-mathematics
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://octave.1599824.n4.nabble.com/Insecure-downloading-of-octave-forge-packages-td4673520.html
Whiteboard:	B4 [noglsa]
Package list:	=sci-mathematics/octave-4.2.0-r2 amd64 hppa ppc ppc64 x86	Runtime testing required:	---
Bug Depends on:	603072, 604418, 604866
Bug Blocks:

Description Fedja Beader 2015-11-10 19:58:51 UTC

Download phase:

Octave's pkg subprogram (scripts/pkg/pkg.m:392) upon being issued
"pkg install -forge <package_name>" from the interpreter or other
code calls get_forge_download (scripts/pkg/private/get_forge_download.m)
which calls get_forge_pkg (scripts/pkg/private/get_forge_pkg.m).
This function returns an url of the form
http://packages.octave.org/%s/index.html" that resolved to
"http://sourceforge.net/projects/octave/files/".
This url is then passed to urlwrite on scripts/pkg/pkg.m:395 that
does the actual fetching. It does not seem to fetch any cryptographic
signatures.

This is bad for two reasons:
1) Octave fetches packages over an insecure channel
   (not very bad on its own, read below)
2) Octave fetches packages from _sourceforge_, which was found to be packaging
   adware into GIMP's installer [1].


Install phase:

scripts/pkg/private/install.m:109 verify_directory (packdir);
This function only ensures presence of "COPYING" and "DESCRIPTION" files.
scripts/pkg/private/install.m:331 load_packages_and_dependencies ...
This function calls load_package_dirs(...) and adds it to function search
path.
scripts/pkg/private/load_package_dirs.m: load_package_dirs(..)
This function seems to only sort out the order in which the paths must be
set up.

grepping for 'pgp', 'gpg', 'checksum' and 'sha' comes up with no package
integrity verification code at all!

1) The octave interpreter does not seem to restrict the code it interprets
   in any way.
2) A lot of the Octave packages (e.g. image-2.4.1, control-2.8.4, optim-1.3.0)
   contain source code intended for the package command to build and
   dynamically load into the interpreter:
   install.m calls configure_make() that then executes make in shell (line 91).

While the presence of this does not seem to pose a security risk as soon as
GNU Octave is installed by portage, there is no security warning issued
to the pkg command user before the above happens or when Octave itself is
installed.


[1] http://arstechnica.com/information-technology/2015/05/sourceforge-grabs-gimp-for-windows-account-wraps-installer-in-bundle-pushing-adware/

Reproducible: Always




All versions likely vulnerable.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2016-12-05 20:14:23 UTC

Upstream added http://hg.savannah.gnu.org/hgweb/octave/rev/453fca9ae397

This warning is present in v4.2.0. Like upstream said in $URL this isn't ideal but nothing more to do for us.


@ Maintainer(s): Can we stabilize =sci-mathematics/octave-4.2.0 to push the warning down to our users?

Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-09 18:56:53 UTC

@ Arches,

please test and mark stable: =sci-mathematics/octave-4.2.0-r2

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2017-01-09 19:58:09 UTC

Stopping stabilization due to open bugs.

Comment 4 Yury German Gentoo Infrastructure

2017-04-30 19:59:07 UTC

Can we take a look at the bugs please so we can close this bug.

Comment 5 David Seifert gentoo-dev

2017-06-11 21:49:40 UTC

All vulnerable versions removed from tree.

commit 8fc2192f2c98e1de3f9667d4d968141c6df8d55c
Author: David Seifert <soap@gentoo.org>
Date:   Sun Jun 11 23:02:50 2017 +0200

    sci-mathematics/octave: Remove old

Comment 6 Yury German Gentoo Infrastructure

2017-06-12 05:22:26 UTC

Thank you all for you work. 
Closing as [noglsa].