Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] Any password unlocks tomb when using pinentry-curses and non-empty $DISPLAY #385

Closed
aaronjanse opened this issue Nov 3, 2020 · 12 comments · Fixed by #386
Closed
Assignees

Comments

@aaronjanse
Copy link
Contributor

Thank you for this tool. I've been using it for a while, and I appreciate its straightforwardness.

I recently noticed that my tomb unlocks no matter what password is provided.

Steps to reproduce:

  1. Use tomb with pinentry-curses in the $PATH
  2. Run tomb dig -s 100 foobar
  3. Provide any password for tomb forge foobar.key
  4. Provide any password for tomb lock foobar -k foobar.key
  5. Provide any password for tomb open foobar -k foobar.key (!!!)

My operating system is NixOS.

@jaromil
Copy link
Member

jaromil commented Nov 3, 2020

@aaronjanse weird, can you give us the output of tomb -v

@aaronjanse
Copy link
Contributor Author

$ tomb -v
  Tomb 2.7 - a strong and gentle undertaker for your secrets

   Copyright (C) 2007-2017 Dyne.org Foundation, License GNU GPL v3+
   This is free software: you are free to change and redistribute it
   For the latest sourcecode go to <http://dyne.org/software/tomb>

   This source code is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
   When in need please refer to <http://dyne.org/support>.

  System utils:

gpg: WARNING: unsafe permissions on homedir '/home/ajanse/.gnupg'
gpg: WARNING: unsafe permissions on homedir '/home/ajanse/.gnupg'
  Sudo version 1.9.3p1
  cryptsetup 2.3.4
  pinentry-curses (pinentry) 1.1.0
  findmnt from util-linux 2.36
  gpg (GnuPG) 2.2.23 - key forging algorithms (GnuPG symmetric ciphers):
  IDEA 3DES CAST5 BLOWFISH AES AES192 AES256 TWOFISH CAMELLIA128 CAMELLIA192 CAMELLIA256

  Optional utils:

  /nix/store/vkmnfr10cbz8799yvwy352607jrww92h-gettext-0.21/bin/gettext
  dcfldd not found
  /run/current-system/sw/bin/shred
  steghide not found
  /nix/store/zzsycw09gljk0ay6wsnz70vf47dp9z83-e2fsprogs-1.45.5-bin/bin/resize2fs
  tomb-kdb-pbkdf2 not found
  qrencode not found
  swish-e not found
  unoconv not found
  lsof not found

@jaromil
Copy link
Member

jaromil commented Nov 3, 2020

@aaronjanse thanks! is there a nixos version we can refer to and perhaps a docker distribution of it to try reproduce?

@aaronjanse
Copy link
Contributor Author

Ah, I'm having trouble finding a NixOS container that contains everything needed for tomb. Is there a known working Docker image that works for tomb that I could modify to use Nix?

@Narrat
Copy link
Contributor

Narrat commented Nov 6, 2020

Maybe it is worth to look at the gpg.conf and gpg-agent.conf? There was a similar issue, where no pinentry was shown and the tomb was unlocked. Maybe this is similar, but pinentry is shown despite the password of the tomb still being cached?

@aaronjanse
Copy link
Contributor Author

This is my ~/.gnupg/gpg-agent.conf:

pinentry-program /nix/store/wfhgv1vbl4nlhgflq565z2z8gdlr5b3v-pinentry-1.1.0-gtk2/bin/pinentry

I have no ~/.gnupg/gpg.conf.

@Narrat
Copy link
Contributor

Narrat commented Nov 9, 2020

Not much :D Curious
Is every pinentry binary in a package of its own? Can the faulty behaviour reproduced with the other pinentry variants?
And could I ask additionally for the result of tree for the location /nix/store/wfhgv1vbl4nlhgflq565z2z8gdlr5b3v-pinentry-1.1.0-gtk2?

@aaronjanse aaronjanse changed the title [security] Any password unlocks tomb when using pinentry-curses on NixOS [security] On NixOS, any password unlocks tomb when using pinentry-curses Nov 10, 2020
@aaronjanse
Copy link
Contributor Author

Aha! I think I found it!

This is only happening for pinentry-curses, not pinentry-gtk2. The password being read is tomb [W] Detected DISPLAY, but only pinentry-curses is found.

Tomb/tomb

Lines 480 to 485 in fb154bb

if _is_found "pinentry-curses"; then
_verbose "using pinentry-curses"
_warning "Detected DISPLAY, but only pinentry-curses is found."
output=$(pinentry_assuan_getpass | pinentry-curses)
else

Perhaps this issue is not specific to NixOS.

@aaronjanse
Copy link
Contributor Author

@Narrat Here's my patch (master...aaronjanse:security-pinentry-curses). I'm putting it here instead of a PR to decrease visibility.

Note that affected Tomb users will need to use the password tomb [W] Detected DISPLAY, but only pinentry-curses is found. to use their tomb after applying the patch.

@jaromil
Copy link
Member

jaromil commented Nov 10, 2020

Awesome! please file a PR, there is no security through obscurity and no reason for us to hide bugs! This will be listed among other glitches in the history of tomb to facilitate bugtracking. Tomb may be not the best tool out there, but at least its a honest one!

FTR this bug was introduced by my commit bbe9a49 in November 2014 and seems to affect installations where a X11 DISPLAY is available but only pinentry-ncurses is installed; I'm not too worried since people using Tomb in this condition will see immediately that their password doesn't works at first test.

@aaronjanse
Copy link
Contributor Author

Tomb may be not the best tool out there, but at least its a honest one!

Thank you for this! This is why I use Tomb :-)

@aaronjanse aaronjanse changed the title [security] On NixOS, any password unlocks tomb when using pinentry-curses [security] Any password unlocks tomb when using pinentry-curses and non-empty $DISPLAY Nov 11, 2020
@jaromil jaromil self-assigned this Nov 11, 2020
jaromil added a commit that referenced this issue Nov 13, 2020
@carnil
Copy link

carnil commented Nov 14, 2020

CVE-2020-28638 appears to have been assigned for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants