[aur-dev] [HEADS-UP] Breaking AUR helpers

Lukas Fleischer archlinux at cryptocrack.de
Sun Jun 24 18:14:27 EDT 2012

On Sun, Jun 24, 2012 at 12:39:41PM -0400, Dave Reisner wrote:
> On Sun, Jun 24, 2012 at 06:33:31PM +0200, Stefan Husmann wrote:
> > Am 24.06.2012 16:55, schrieb Lukas Fleischer:
> > >Hi!
> > >
> > >I just wanted to let everybody know that I'm about to apply a patch to
> > >our AUR setup that fixes some CSRF vulnerabilities. This will probably
> > >break most (all?) AUR helpers (mis)using the AUR HTML interface. AUR
> > >helpers, that only make use of the RPC interface, won't be affected.
> > >
> > >I recommend using the web interface until the affected programs are
> > >fixed.
> > When will this happen? Shouldn't it be announced on archlinux.org or language specific counterparts?
> > 
> > Regards Stefan
> > 
> It's already happened. Uploaders who don't cope with this will see an
> error:
>   Invalid token for user action.
> Yes, it would have been nice to see a little more lead time on this but
> honestly the change isn't really so severe.

Explaining the situation and the exact changes would have disclosed the
vulnerability and we would have had a unpatched and publicly announced
security flaw for some days. Given that AUR helpers are completely
unsupported (especially the helpers that use the HTML interface) and
given my lack of time, I didn't look for all popular helpers and inform
the particular maintainers. I'll try to do better next time.

> d

More information about the aur-dev mailing list