Re: [Cellar] Roman Danyliw's Discuss on draft-ietf-cellar-flac-12: (with DISCUSS and COMMENT)
Michael Richardson <mcr+ietf@sandelman.ca> Sat, 18 November 2023 17:37 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: cellar@ietfa.amsl.com
Delivered-To: cellar@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66AE7C151091; Sat, 18 Nov 2023 09:37:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.707
X-Spam-Level:
X-Spam-Status: No, score=-1.707 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (bad RSA signature)" header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rt_Jh5TJMRd4; Sat, 18 Nov 2023 09:37:20 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD1D7C151090; Sat, 18 Nov 2023 09:37:18 -0800 (PST)
Received: from dyas.sandelman.ca (46.183.103.17.relaix.net [46.183.103.17]) by relay.sandelman.ca (Postfix) with ESMTPS id BEC0A1F45B; Sat, 18 Nov 2023 17:37:15 +0000 (UTC)
Authentication-Results: relay.sandelman.ca; dkim=fail reason="signature verification failed" (2048-bit key; secure) header.d=sandelman.ca header.i=@sandelman.ca header.b="iuK4/FJI"; dkim-atps=neutral
Received: by dyas.sandelman.ca (Postfix, from userid 1000) id EA908A0AE1; Sat, 18 Nov 2023 18:37:13 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=sandelman.ca; s=mail; t=1700329033; bh=Ub+klxeD5v7c/hWgzEv5jfmOFh/QCSyZ+gWJALJlWJY=; h=From:To:cc:Subject:In-reply-to:References:Date:From; b=iuK4/FJIOWMJcsUlcXKOcoQJqq/YAvH/vaq/3W4uR7rQUoXFJRLomXKxJOwF8IjII rV+xWKRpDE2pgOGYy3vp+y/u8knQlhsbmJWmr1NP9peYClmOQe+Q7s4kng0KLGhmoN GABM+a0LvJw6I2NvNDWHVtOcA1iTPWybgtq+xNg/WkEKMgYlbcPdoPPWzecwROto0X 2xpjfLdSzX2hrMYr/lgGWDy4zwPP29v8C4eDRH6D+fiVd7OW7KPFc5brJBUidDhWzk nyxn0jSIiOtO3bCuiuhgvJaV5wO9wM/lMl31ikoaivkKzPdAAxFa63LKsRGklZNkwC EOvw9FtchzgAw==
Received: from dyas (localhost [127.0.0.1]) by dyas.sandelman.ca (Postfix) with ESMTP id E8457A06AE; Sat, 18 Nov 2023 18:37:13 +0100 (CET)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Martijn van Beurden <mvanb1@gmail.com>
cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, draft-ietf-cellar-flac@ietf.org, cellar-chairs@ietf.org, cellar@ietf.org, spencerdawkins.ietf@gmail.com
In-reply-to: <CADQbU6-cmS8zpXJj+1+F5d1fRNrr3V9=rV8qDmHUKT=SBACM+w@mail.gmail.com>
References: <169755971376.31873.11022904877825598565@ietfa.amsl.com> <CADQbU6-cmS8zpXJj+1+F5d1fRNrr3V9=rV8qDmHUKT=SBACM+w@mail.gmail.com>
Comments: In-reply-to Martijn van Beurden <mvanb1@gmail.com> message dated "Fri, 17 Nov 2023 20:49:35 +0100."
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sat, 18 Nov 2023 18:37:13 +0100
Message-ID: <32554.1700329033@dyas>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cellar/TQ_5QOGDBTps5U0nMTVdHLeAtYA>
Subject: Re: [Cellar] Roman Danyliw's Discuss on draft-ietf-cellar-flac-12: (with DISCUSS and COMMENT)
X-BeenThere: cellar@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Codec Encoding for LossLess Archiving and Realtime transmission <cellar.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cellar>, <mailto:cellar-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cellar/>
List-Post: <mailto:cellar@ietf.org>
List-Help: <mailto:cellar-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cellar>, <mailto:cellar-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Nov 2023 17:37:24 -0000
Martijn van Beurden <mvanb1@gmail.com> wrote: > Op di 17 okt 2023 om 18:21 schreef Roman Danyliw via Datatracker > <noreply@ietf.org>: >> >> -- per value = 17, “A bright colored fish”, what is that? >> > This is something rather embarrassing really: this part of the > specification was directly copied from ID3v2 (which is most famously > used for tagging MP3 files), presumably to make implementing it as easy > as possible for applications that already implemented ID3v2. However, > I have no clue what this rather odd entry is about. I presume it is a > joke, but many people have wondered what it is too, and "the internet" > does not seem to have an answer. Some seem to think it is a red > herring, i.e., distracting from the (potentially flawed) stuff that > really matters. > What should I do? Should I remark that this is 'probably a joke'? Or > should I simply state this was included in ID3v2 for unknown reasons > and was copied to maintain compatibility? This. "Copied to maintain integrity with historic sources" >> ** Section 8.8. The URI mechanism described in the Picture field of >> the metadata block needs further security considerations. The SECDIR >> review also pointed this out and discussion on possible new language >> has started. This guidance needs to explicitly say that: >> >> -- the Security Considerations of RFC3986 apply (to cover threats of >> maliciously craft URLs) >> >> -- following external URLs introduces a tracking risk from on-path >> observers and the operator of the service hosting the URL. Likewise, >> the choice of scheme, if it isn’t protected like https, could also >> introduce integrity attacks by an on-path observer. >> >> -- a malicious operator of the service hosting the URL can return >> arbitrary content that the parser will read >> >> -- implementers must guard against directory traversal attacks (since >> relative URIs are permitted) and be cognizant of same-origin issues >> (and localhost and local network) even more broadly >> >> -- (per SECDIR review) there could be a DoS attack against the >> operator of the service when the URI from the FLAC file is retrieved >> > I'm not sure what I could write about same-origin issues and directory > traversal attacks. Currently the spec says that for local files > referring to a local resource, the application MUST obtain user > approval to retrieve a resource not in the same directory. That seems like really enough advice. Do we need to support relative URLs in the files? Can we just say "MUST NOT"? > That should > make any possible attack dependent on user cooperation. Would further > limiting this, saying instead of obtaining user approval an application > MUST NOT retrieve a resource not in the same directory, be warranted > here? If not, I'm not sure how to restrict a directory traversal attack > on a local filesystem. Also, enforcing a same-origin policy would make > the point on DoS attacks moot, because then an attacker could only use > a file to attack the same server the file is served from, so I'm unsure > what same-origin issues apply here. The same-origin restriction is good, but it does not cover all cases, and in particular, it likely will get turned off if someone puts the file on a local disk (file:// ) and then wants album covers from the network. This is fundamentally implementation advice here in my opinion. Implementers MUST ... >> Thanks for calling this out. From this cautionary text, it is not >> clear to me where in the FLAC format this executable code would be >> insert. What guidance can be given to implementers about recognizing >> this executable code and treating it with care? > For the use case the document describes, a complete mixed-mode CD disc > image (binary + audio) is stored as if it were audio. As far as I know, > there isn't really a straightforward way to detect this, but > packing/unpacking of such files is often done fully at the users > discretion or with specialized tools aware of the context (i.e., > programs working with disc images). FTP can also be used to transfer executable code :-) The key is just ... not to execute it. I don't understand why there is an extended issue here. It's a container, it can contain stuff, and that stuff is sometimes not well identified. Also, don't pull and Outlook and try to guess based content detection, rather than using the Media-Type to determine things. > Besides storage as audio executable code can be stored directly or > encoded as text, like pretty much every other file format. One could > store base64 encoded executable code as a vorbis comment field, but > this is also possible with any text file or email. One could also store Exactly. I don't think there is much more to say other than "don't execute things" -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- *I*LIKE*TRAINS*
- [Cellar] Roman Danyliw's Discuss on draft-ietf-ce… Roman Danyliw via Datatracker
- Re: [Cellar] Roman Danyliw's Discuss on draft-iet… Martijn van Beurden
- Re: [Cellar] Roman Danyliw's Discuss on draft-iet… Michael Richardson
- Re: [Cellar] Roman Danyliw's Discuss on draft-iet… Martijn van Beurden