IETF Logo Mail Archive

Re: [Cellar] Roman Danyliw's Discuss on draft-ietf-cellar-flac-12: (with DISCUSS and COMMENT)

Martijn van Beurden <mvanb1@gmail.com> Fri, 17 November 2023 19:49 UTC

Return-Path: <mvanb1@gmail.com>
X-Original-To: cellar@ietfa.amsl.com
Delivered-To: cellar@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A599EC1516EB; Fri, 17 Nov 2023 11:49:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.855
X-Spam-Level:
X-Spam-Status: No, score=-1.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Th4V-qyyu0Fs; Fri, 17 Nov 2023 11:49:54 -0800 (PST)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A593EC151536; Fri, 17 Nov 2023 11:49:49 -0800 (PST)
Received: by mail-lf1-x132.google.com with SMTP id 2adb3069b0e04-509c61e0cf4so3408390e87.2; Fri, 17 Nov 2023 11:49:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700250587; x=1700855387; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=sY8o3efaPRH3baY4dyydAn+FtUOox19K/w0acpqg4yI=; b=SnnH+ynBalcQQfvhf8WNmra0BlPrRN/U0W8d+goIwrTPmMH+2ID/etJy3xLP/zmLYK FyBTEIfSVoKTvumHQWu0yhj+ScH+sicc7BM3CMlsvoqy9S/vTmtqpnVA3RuyycHJfjiH T3on5A+YI3t3lofg1ayx8io7r0uBI+tM02YwexxgqrLYBWT1bBw051KPJ+u/87OB7AA7 TPTgLTZ1z9vWmt2TISr+7pxXQauGKfG2Bw36Sl6ioSTwiCwRmwz3pEL8y9J6H/oGUurW HO69cmfmklm96zHKw2Yo8y2PLjAhSmrZVkQt+6E5Zu0fGLgI/aM2EzyLIUjnUBzgi/yS FfgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700250587; x=1700855387; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sY8o3efaPRH3baY4dyydAn+FtUOox19K/w0acpqg4yI=; b=IBozeabosF0v9Z36e5K/AcvbFZefqCCLbPONVUT+M6SSfclcVuTdrIaf50qlmjkRUu t6zxaCjBv7EXGrRLYkzs33JIPUOGa+Qvv8NVHKjX5GBjQvMIbozefMMfNPooqxenGK9x GuiyuiP3DlxOH1Q4vrmcMuZaLq8XXcSCn/rPR4/o/gq2+PDOZF1ynw0tbrfQrZhr7blU TEPto+XYA+a1HWKm0hlWaV/TnjF2n0ZD6aQXSEkPCqwUq9b9cxt54Zp71L9fPlUqyPAe +w4MgO/oPF76mSd5iX057qdSWrgsCvjGH867hXUCAEBKxjULLgEriyI4jwcXbudqEgvO usOg==
X-Gm-Message-State: AOJu0Yzjqz6/9X2JAj6qr8UbKUisKaIoYr+d6o4L9ELArGLayzwrcjQi UTZKL3c3bhHkAtYX/tE6oNPw+vkbL+wSIWziQqwRhYV7d6s=
X-Google-Smtp-Source: AGHT+IHm2EsdWKRqqmT59HnLMTpprfykpuEG1btQU1kg2Z1vDu1/GyHmPHODD3JdGX6EcSfOwv1TY2Zqeypcycb6R5U=
X-Received: by 2002:ac2:53b7:0:b0:501:c779:b3bb with SMTP id j23-20020ac253b7000000b00501c779b3bbmr336283lfh.60.1700250587055; Fri, 17 Nov 2023 11:49:47 -0800 (PST)
MIME-Version: 1.0
References: <169755971376.31873.11022904877825598565@ietfa.amsl.com>
In-Reply-To: <169755971376.31873.11022904877825598565@ietfa.amsl.com>
From: Martijn van Beurden <mvanb1@gmail.com>
Date: Fri, 17 Nov 2023 20:49:35 +0100
Message-ID: <CADQbU6-cmS8zpXJj+1+F5d1fRNrr3V9=rV8qDmHUKT=SBACM+w@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-cellar-flac@ietf.org, cellar-chairs@ietf.org, cellar@ietf.org, spencerdawkins.ietf@gmail.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cellar/-Xoc-YAF7PVhZCR5Pk76WToZluU>
Subject: Re: [Cellar] Roman Danyliw's Discuss on draft-ietf-cellar-flac-12: (with DISCUSS and COMMENT)
X-BeenThere: cellar@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Codec Encoding for LossLess Archiving and Realtime transmission <cellar.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cellar>, <mailto:cellar-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cellar/>
List-Post: <mailto:cellar@ietf.org>
List-Help: <mailto:cellar-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cellar>, <mailto:cellar-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Nov 2023 19:49:58 -0000

Hi Roman,

Once again many thanks for your thorough review of
draft-ietf-cellar-flac-12. Sorry for not getting back to you sooner on
this, I wasn't able due to health issues.

I've found most issues straightforward to alleviate, but for a few I'm
not sure what to do, so I was hoping you could provide some guidance.

Op di 17 okt 2023 om 18:21 schreef Roman Danyliw via Datatracker
<noreply@ietf.org>:
>
> -- per value = 17, “A bright colored fish”, what is that?
>

This is something rather embarrassing really: this part of the
specification was directly copied from ID3v2 (which is most famously
used for tagging MP3 files), presumably to make implementing it as
easy as possible for applications that already implemented ID3v2.
However, I have no clue what this rather odd entry is about. I presume
it is a joke, but many people have wondered what it is too, and "the
internet" does not seem to have an answer. Some seem to think it is a
red herring, i.e., distracting from the (potentially flawed) stuff
that really matters.

What should I do? Should I remark that this is 'probably a joke'? Or
should I simply state this was included in ID3v2 for unknown reasons
and was copied to maintain compatibility?

> ** Section 8.8.  The URI mechanism described in the Picture field of the
> metadata block needs further security considerations.  The SECDIR review also
> pointed this out and discussion on possible new language has started.  This
> guidance needs to explicitly say that:
>
> -- the Security Considerations of RFC3986 apply (to cover threats of
> maliciously craft URLs)
>
> -- following external URLs introduces a tracking risk from on-path observers
> and the operator of the service hosting the URL.  Likewise, the choice of
> scheme, if it isn’t protected like https, could also introduce integrity
> attacks by an on-path observer.
>
> -- a malicious operator of the service hosting the URL can return arbitrary
> content that the parser will read
>
> -- implementers must guard against directory traversal attacks (since relative
> URIs are permitted) and be cognizant of same-origin issues (and localhost and
> local network) even more broadly
>
> -- (per SECDIR review) there could be a DoS attack against the operator of the
> service when the URI from the FLAC file is retrieved
>

I'm not sure what I could write about same-origin issues and directory
traversal attacks. Currently the spec says that for local files
referring to a local resource, the application MUST obtain user
approval to retrieve a resource not in the same directory. That should
make any possible attack dependent on user cooperation. Would further
limiting this, saying instead of obtaining user approval an
application MUST NOT retrieve a resource not in the same directory, be
warranted here? If not, I'm not sure how to restrict a directory
traversal attack on a local filesystem. Also, enforcing a same-origin
policy would make the point on DoS attacks moot, because then an
attacker could only use a file to attack the same server the file is
served from, so I'm unsure what same-origin issues apply here.

> ** Section 12
>    FLAC files may contain executable code, although the FLAC format is
>    not designed for it and it is uncommon.  One use case where FLAC is
>    occasionally used to store executable code is when compressing images
>    of mixed mode CDs, which contain both audio and non-audio data, of
>    which the non-audio portion can contain executable code.
>
> Thanks for calling this out.  From this cautionary text, it is not clear to me
> where in the FLAC format this executable code would be insert.  What guidance
> can be given to implementers about recognizing this executable code and
> treating it with care?
>

For the use case the document describes, a complete mixed-mode CD disc
image (binary + audio) is stored as if it were audio. As far as I
know, there isn't really a straightforward way to detect this, but
packing/unpacking of such files is often done fully at the users
discretion or with specialized tools aware of the context (i.e.,
programs working with disc images). I could add something on that FLAC
compression could be used to obscure or obfuscate executable code from
a malware scanner when stored as if it were audio, but I'm not sure
what to write on recognizing such code. See for example
https://en.wikipedia.org/wiki/BASICODE which is a system where
computer programs would be transferred via radio broadcasts and
listeners could record the program onto an audio cassette. I wouldn't
know how to write guidance on such cases. Can you perhaps point to an
RFC that deals with a similar issue?

Besides storage as audio executable code can be stored directly or
encoded as text, like pretty much every other file format. One could
store base64 encoded executable code as a vorbis comment field, but
this is also possible with any text file or email. One could also
store it directly with an application metadata block. One could also
hide it in a padding metadata block (which is supposed to be empty) or
in any other undefined or oversized metadata block. It seems to me
this is a problem with any file format, so I'm not sure what to write
here specifically. So, could you provide some guidance on where to
draw a line?

Many thanks in advance for helping me out.

Kind regards, Martijn van Beurden

v2.23.0 | Report a Bug | By Email