Sparkle and XQuartz
Sparkle and XQuartz
- Subject: Sparkle and XQuartz
- From: Jeremy Huddleston Sequoia <email@hidden>
- Date: Wed, 10 Feb 2016 09:32:45 -0800
As many of you are aware, there is a MITM vulnerability in Sparkle which can be exploited to either deliver an incorrect appcast or ChangeLog. It is NOT possible for someone to take advantage of this vulnerability to install an invalid update of XQuartz.
Sparkle developers have provided a workaround for the issue, but an appropriate fix for this vulnerability is not quite obvious:
Considerations:
1) We support Snow Leopard which requires us to use the older Sparkle 1.6 series.
2) The patches available don't trivially cherry-pick back to 1.6 (I haven't looked into it more deeply than that at this time).
3) Even if we backported them, the changes prevent following http redirects.
4) We actually *use* http redirects. It is how we relocated from xquartz.macosforge.org/downloads/... to xquartz-dl.macosforge.org, and it is how we intend to redirect requests to our new host at github.
5) Github does not (AFAIK) support https for hosted sites. And if it did, it would likely cost money to pay for the dedicated IP address.
In order to address part of this problem, the appcast schema could be updated to include a URL to a signature file. That signature file would contain the signature to validate the entire feed. This still allows for DNS spoofing of the ChangeLog data, but it looks like the upstream fixes don't really address that problem either (other than their recommendation to use https which is not feasible in cases like ours).
I'm open to your thoughts.
--Jeremy
_______________________________________________
Do not post admin requests to the list. They will be ignored.
X11-users mailing list (email@hidden)
This email sent to email@hidden