Update Sparkle framework for security vulnerabilities #254
Comments
Update the in-tree copy of Sparkle to v1.13.1 for the security vulnerabilities mentioned in https://vulnsec.com/2016/osx-apps-vulnerabilities/. Change SUFeedURL to use https:// to protect against MITM of AppCast feed (fixes HermesApp#254).
|
😨😭🔫 EDIT: this isn't as bad as has been reported. See my comment below. |
|
This vulnerability has now been easily weaponized. https://www.evilsocket.net/2016/01/30/osx-mass-pwning-using-bettercap-and-the-sparkle-updater-vulnerability/ |
|
Hello, unfortunately I can no longer contribute tested changes to Hermes, and have since moved on, so somebody else will have to address this. Please contact me or @nriley if you have interest in maintaining and actively developing Hermes. As for the risk factor of this vulnerability, it isn't very significant when one considers Sparkle uses DSA signatures to sign and verify updates; and there is no network of trust associated with the key pair. Regardless this is still a vulnerability, so it should be fixed, if anybody is up to taking over. |
See the link in the OP, the DSA stuff doesn't matter. |
|
My mistake -- I had only read the second link :). Yes looks like the weak app signing via DSA is irrelevant. At any rate, I don't have the resources to fix this issue, which would require:
One could get a letsencrypt cert, however I don't have a Mac to do (2). Somebody needs to take over the project if they want to see this fixed. |
|
@winny- all that's needed is an updated version of sparkle. you don't need to do any HTTPS stuff. |
|
Sparkle |
|
Unfortunately to push a new version of Sparkle in Hermes, one needs to have XCode and friends. In addition they will need two keys which I can hand over, provided you're trust worthy. https://github.com/HermesApp/Hermes/blob/master/Documentation/ReleaseEngineering.md |
|
Just an fyi: 1.13.1 on website might still be vulnerable |
|
For the SSL/TLS option, you could use CloudFlare to front the domain and In any case, you don't even need to get HTTPS on hermesapp.org to solve Also, it's best to get things on HTTPS and upgrade Sparkle. Only doing On Saturday, January 30, 2016, Greg Slepak notifications@github.com wrote:
|
|
@taoeffect check the last comment in On Saturday, January 30, 2016, Reed Loden reed@reedloden.com wrote:
|
|
@reedloden did you mean to send that reply to this thread or here? Either way, I can't get even the most basic of modules working (like |
|
@taoeffect The other thread, sorry. I'm watching all your threads right now as you investigate this, and doing it from mobile while I'm out with friends isn't helping with keeping track of stuff. Hah. |
|
Sorry, I can't address this either — too many other projects contending with my time and resources, and I don't even use Hermes as a user any more. If someone (or more than one person) wants to take over Hermes maintenance, I'm happy to facilitate this in any way possible, but they need to be actually committed to it. I've had enough experiences where people asked to contribute to one of my projects, I spent a bunch of time trying to help and then never heard from them again. |
Good news folks! EDIT: Nope! See comment below :(There are ways to mitigate against this and it's also not as bad as reported. Just published details: |
Apologies! Sky Kinda Falling + Protecting Yourself From SparklegateIt turns out that I was mistaken, in some situations Gatekeeper does get bypassed. I just published a post with details + mitigations. Thanks to @radekk for insisting that I was missing something! |
https://vulnsec.com/2016/osx-apps-vulnerabilities/
Hermes is vulnerable to this, so would be good to get Sparkle updated.
The text was updated successfully, but these errors were encountered: