Package Takeover Vulnerability Notification
At 9:56AM EST February 23nd, 2021, Package Control was notified of a package takeover vulnerability in the default channel package crawler workflow. The issue was reported by Sven Blumenstein of Apple Information Security.
At 10:28AM EST February 23nd, 2021, Package Control confirmed the receipt and nature of the takeover vulnerability. At 11:32AM EST February 23nd, 2021, a mitigation was deployed to the default channel server, fixing the vulnerability.
The process to exploit the vulnerability was as follows:
- An author of a package in the default channel would need to delete their GitHub or BitBucket account
- A new user account (new author) must be created with the same name as the deleted account
- The new author must create a repository with the same name as the package repository
- The new author must create a new release of the package with a higher version number
- New and existing installs of the package would install the version of the package from the new author
The vulnerability existed due to the fact that the crawler for the default channel would allow a hosting service to go offline and come back online. Unfortunately this robust behavior, in the case of a hosting provider going offline, unintentionally allowed for user names (or domain names) to transfer ownership without review.
A review of the package database was conducted after fixing the vulnerability. At the time of reporting, there were 31 GitHub user accounts and 1 BitBucket user account that were vulnerable to takeover. 14 GitHub accounts had transfered ownership, but had not retained previous package repositories. There wasn't any evidence of malicious takeovers, however the default channel crawler does not maintain logs of every change to every package.
Moving forward, all packages that go offline will have to be manually reviewed before they will be available for installation.
Package Control 3.0 Released!
I‘m pleased to announce the release of Package Control 3.0! This release adds a bunch of polish, improving the Sublime Text experience for users and package developers.
As of July 2014, I now work for myself. This has allowed me to spend more time working on open source software, including Package Control. If you appreciate the work I‘ve done, please consider a small donation. If even 5% of regular users donated the price of a coffee or beer, that would cover quite a bit of my development time! See the About page for options.
The following notes detail some of the bigger aspects of this new release.
Backwards Compatibility Breaks
- For users who have a custom SSL CA certs, please note that any custom certs must now be stored in Packages/User/Package Control.user-ca-bundle. This mechanism replaces the old certs setting. In general this should not be necessary since Package Control now utilizes OS certificate stores for CA certs.
- The Create Binary Package File command was removed, but replaced with the package_profiles setting which allows for any number of different package creation configurations. See Creating Package Files for more details.
- Package Control now supports package dependencies for the sake of shipping non-user-facing binary files that are needed by packages. These will commonly include compiled Python modules and executables. To learn more, read the Dependencies documentation.
- A package loader that is run before any other non-default packages. This adds dependency folders to sys.path and makes the package_control Python module always available, instead of waiting until Sublime Text loads up all packages that are alphabetically before Package Control.
- Improved handling of package upgrades involving editor customizations. Theme, Color Scheme and Syntax upgrades will no longer cause Sublime Text error messages. If a package containing one of these is being upgraded, Package Control will change the setting back to the default just before starting. Once complete, the customized settings will be restored.
- In-use file upgrades improved. Package Control performs extra steps on Windows to allow upgrades to occur for packages that use various binary files such as DLLs and executables.
- A package event API was added to allow packages to know if they were just installed, are about to be upgraded, were just upgraded, or are about to be removed. See the Events documentation for more details.
- Package upgrades that are interupted by Sublime Text being closed or restarted will no longer result in packages being left in the ignored_packages setting.
Additional commands were added to the command palette, including:
- Advanced Install Package install packages via a comma-separated list
- List Unmanaged Packages list packages not controlled via Package Control
- Remove Channel helper to remove a channel
- Remove Repository helper to remove a repository
- Package Control will now remove packages, upon start, that have been deleted from the installed_packages list. This improves the recommended configuration of just syncing the Packages/User/ folder.
- Incorrect syncing of packages will now be detected and users will be notified of the issue. Sync warnings will only be raised when a package for a specific platform or version of Sublime Text is copied to an incompatible machine.
- Upgraded SSL support for Sublime Text 2 on Windows. _ssl.pyd files are installed for ST2 on Windows that are compiled against the latest version of OpenSSL. This allows secure connections to validate modern SSL certificates that use SHA-2 signatures.
- Package Control now patches the Python select module for Sublime Text 2 on Windows. This patch will make the select module available for use by all packages.
- All repositories and packages are now required to use SSL for improved security.
- SSL support for Linux. Package Control now ships _ssl.so files that are compatible with OpenSSL 0.9.8 and 1.0.x (both libssl-1.0.0 and libssl-10). Thanks to the new package loader, these are injected before any other packages are loaded. Gone are the days of package developers having to bundle them individually, or using curl/wget.
- SSL CA certificates are now 100% sourced from the OS. Previously Package Control included functionality to distribute SSL CA certificates to allow validation of SSL certs on Mac and Windows. With version 3.0, Package Control can now explort SSL CA certs from the Windows trust store into the format necessary for OpenSSL. This allows PC to no longer be responsible for distributing SSL CA certs in a secure way.
- Added a parser that allows Package Control to validate SSL certificates using SubjectAltName fields for certs that are valid for multiple hostnames. Previously such certificates were only supported in Sublime Text 3.
- A revised Urllib-based downloader for Windows. In version 2.0, Package Control switched from using urllib for downloads to using the WinINet API on Windows. This allowed PC to delegate all of the work of proxy auto-detection and SSL verification to the OS. Unfortunately some users are unable to connect to the internet using WinINet due to local policies. Other users experienced issues with SSL connectivity through the WinINet API. As of version 3.0, Package Control will automatically fall back to the urllib downloader if WinINet is unable to connect.
- HTTP compression based on bzip2 is now used for the channel file to reduce bandwidth usage. Every Sublime Text install will now have the bz2 module available for use by other packages.
Repositories and Channels
- A new schema_version of the channel and repository JSON files was released that supports using prefixed tags to allow for semantic versions with separate code-bases for different versions of Sublime Text. See the example-repository.json for details.
- A new package, ChannelRepositoryTools, was released that provides commands for package developers to upgrade their older repository JSON files to the newest standard. Read Channels and Repositories for more information.
Various documentation on the website has been added, or improved, including:
After a couple of months of bug fixes and feature development, I‘m excited to announce the first Package Control 3.0 beta! Over the next few days I would like to get it in the hands of a bunch of users to work out any final kinks. Hopefully 3.0 will be a little less eventful than the 2.0 rollout.
A set of full release notes will be displayed via Package Control messages, however here are some highlights:
- depedency support
- an SSL module for Linux
- error-free theme, color scheme and syntax upgrades
- improved HTTP support on Windows
- functionality to sync package removals via the User/ folder
If you are willing to help, perform the following instructions to upgrade to version 3.0.0-beta. Once upgraded, keep an eye on the Sublime Text console for Python exceptions. If you experience any issues, please open an issue.
- Open and set the install_prereleases setting to true
- Run the Add Repository command and enter https://sublime.wbond.net/prerelease/packages.json.
- Run the Upgrade Package command and choose Package Control
Thanks for your help!
There are quite a number of guides online that will help you set up your machines so that your Sublime Text packages and settings are copied from one computer to another. Unfortunately most of these guides do not take into consideration the fact that some packages have different versions for different operating systems.
This morning I've added a new page to the Docs section titled Syncing. It explains the potential issues with syncing packages and has some guidance for using Git and Dropbox. Please let me know if you have any improvements for this, or any of the other documentation by filling out a GitHub issue.
Inspiring Generosity, Gittip Style
As part of the new site launch and the expanded package detail pages, I wanted to start an experiment with making supporting package developers even easier. Now granted, the part I'm playing in the process is rather small since I am just providing links for each author. The real work that makes this possible is Gittip, founded by Chad Whitacre.
I was excited a few weeks ago to see the attention Gittip received when John Resig announced the Khan Academy has started giving their developers $5 a week to say thank you to the open source developers who make their work possible.
My hope is that through exposing the work of the over 1,000 developers who maintain various packages for Sublime Text, we can encourage each other to say “thank you!”
In case you’ve never checked it out, Gittip offers weekly donation amounts as small as $0.25. This may seen inconsequential, however if only 100 users tip $0.25 a week, the developer can recieve $25. Considering there are tens of thousands of users of some of the more popular packages, it should be possible for these small donations to make a big impact and encourage future open source work.
In closing I wanted to highlight some of the work a few contributors to Package Control have been doing over the past months. These developers have spent their time reviewing and giving feedback to fellow package developers as they merge pull requests into the default channel:
New Package Control Website
The old Community Packages list that was hosted on my website was admittedly a quick and dirty hack to make it easier for users to try and find packages. I have always known there were many usability issues and tons of room for improvement.
When the first alpha of Sublime Text 3 was announced, I knew there was quite a bit of work ahead of me to adapt the architecture to support multiple versions of Sublime Text. I also saw this as the opportunity to converge the codebase from python (for Package Control) and PHP (for the old Community Packages list) to a single re-usable library.
Along the way of pursuing that goal, I vastly expanded the information that can be provided by the channel system. This information helps greatly enhance the new Package Control site to include in-depth information about every package.
I am sure many of you have already poked around a bit, but here are some highlights of the new site:
A detail page for every package, including the usual info, plus:
- Installs graph for the past month, with toggles per platform
- Links to the bug tracker and a donation page
- Inline readme content to learn more about the package
- HTML content on initial page load with JSON-powered pushState architecture for all subsequent requests, leading to a more fluid browsing experience
- JSON versions of all data accessible by appending .json to most URLs
- Responsive design that allows for easy browsing on desktop, tablet and phone
- Retina-friendly design with all vector graphics
- Open source - in the coming days the full website source code will be posted with a permissive license on GitHub for collaboration
Package Control 2.0
After many months of waiting, Package Control 2.0 is finally ready. This launch is the culmination of hundreds of commits and includes many new features.
- Sublime Text 3 support, including support for different versions of packages for either Sublime Text 2 or Sublime Text 3.
- The new WinINet downloader on Windows that hooks into the OS subsystem for downloading files from the internet. This vastly improves proxy support and eliminates the need for distributing SSL CA certificates.
- Updated downloaders for Mac and Linux that utilize the operating systems’ SSL CA cert bundles.
- Proper package installation in ST3 via .sublime-package files. This allows users to override individual files in a package with their own version. Packages that must be unpacked simply need to have a file named .no-sublime-package in the root of the package.
- A completely revamped schema for channel and repositories making it much easier to properly add packages to the channel, easily override package details and provide more information.
- Support for easy package releases using tags.
- A labels system for categorizing packages.
- A migration to semver.org for versioning semantics, along with an option to ignore pre-release package versions.
- Caching support for HTTP requests, allowing for more custom GitHub-based repositories without hitting the hourly rate limit.
- Keep-Alive support for the Urllib downloader, making multiple requests to the same server much faster and less error prone.
- Many, many bug fixes and small user enhancements.
BitBucket Mirror of Channel Offline
The time has come where I can’t in good conscience keep the BitBucket mirror of the default channel open for pull requests. Due to the sheer number of pull requests that come in we currently have three very regular volunteers reviewing all requests on GitHub. Unfortunately the volume is so low on BitBucket that it tends to be forgotten. Having a repository actively maintained in two version control systems presents other problems when trying to automate maintenance tasks.
While I’ve always strived to provide as much compatibility as possible for my various open source projects, I think the result of shuttering the BitBucket mirror will be net positive. Thanks to the website-based edit functionality of GitHub and the current TravisCI testing setup, package developers who aren’t familiar with git should have no trouble adding entries for their packages.
Some users may have noticed a brief outage on the default channel server. Just now I took the channel offline to corrent a long-running glitch in package install statistics.
Due to a bug in the script that handled usage submissions from Package Control, all operations including upgrades and removals were being counted as installs. This manifested itself more severly for packages that have had lots of versions. Each time a new version of the package was released and users upgraded, installs and unique installs were incorrectly being increased.
From early in the project I decided to maintain a full history of every usage submission in case information needed to be reconstructed. The brief outage that users experienced was a full wipe of all install statistics and a regeneration of them from the master usage table. Over 35 million submissions were processed and tallied up into new, much more accurate statistics.
The unfortunately downside of this is that many package developers will see a dip in their install numbers. With the upcoming release of Package Control 2.0 and the new website, the source code for recording and displaying all of this information will be open source. Hopefully this will present the opportunity for other developers to both help improve, but also review the codebase to help catch such mistakes sooner.