From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from resdmta-c2p-547356.sys.comcast.net (resdmta-c2p-547356.sys.comcast.net [IPv6:2001:558:fd00:56::d]) by sourceware.org (Postfix) with ESMTPS id 897D4385840E for ; Tue, 9 Apr 2024 20:11:09 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 897D4385840E Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=comcast.net Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=comcast.net ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 897D4385840E Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:558:fd00:56::d ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712693472; cv=none; b=LWxorG8dlVOZLsgJ6JDTj0DatPYhtfcoJIrA2N5WBqso2xOw+wC+7RGptfAScqJybB59rWwfCUPJxKQ7LEmodGkrILSjmhg0ULsyQG3H5MCk3A5noUs67vK7xjCMOBv+4Lx1WStShSXaST6P6jHlgjrpcPu1hye+sp8z8fTLPOU= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712693472; c=relaxed/simple; bh=jrJpVQ2QRmVlk3HL5UFOMbKhMCoa99ZVGBSwB6P3uN8=; h=DKIM-Signature:Mime-Version:Subject:From:Date:Message-Id:To; b=tHs/TMQkD3MtvrDC481a3AsAUuJDK1BvmCWFDHciMr2LwmswryL+U/00wzZ4m9ITU0cKIOW74dncRFPbkkImIuQdotYzdVau0qfcjQRnKcHBQJA+b9NSGPecQWjbeDn4TvCevcZyZ86o9E/cDqCObojZeixvHheCOS4ynHSoxz0= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from resomta-c2p-555441.sys.comcast.net ([96.102.18.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resdmta-c2p-547356.sys.comcast.net with ESMTPS id uElWroLiqi26luHoCrinRF; Tue, 09 Apr 2024 20:11:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=20190202a; t=1712693468; bh=6RsKKwNQdqCvIart7iH73aFwghAYt/SEycgOsTwsMjQ=; h=Received:Received:Content-Type:Mime-Version:Subject:From:Date: Message-Id:To:Xfinity-Spam-Result; b=ERw5fDCu/uvpQi+UZfExrySE2fJF4jk4jO7Itj0EsjFK4L+AFZJi2NGFw4JMWdhNr V/l1w6Bi+Z6HcCS0g58rGn90TrpbGoze8Tj+Z8xWEGMMXOyc6suv2cL0u9p7yT1M2c HSIPRL6Ppfi5Am7HWtYGP6G1GaVGLh84SXJM934yi1SoHtWGhMVOvc9zFAeYenDbnm U+ar2JBb6oCncwEnmy6W35aEp9WF+yGiKRTgln0JBgWjiN8GkUr0pxKGo+stMMpzKu 49Ho8qDDtaHhv02X4y3Z6N4YIcb7duyrXW2k6A8yfOjnWOkeiqJ/oFWMQrSS810jQ1 ex5J+BESYNhEA== Received: from smtpclient.apple ([73.60.223.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resomta-c2p-555441.sys.comcast.net with ESMTPSA id uHo5rLt8Q8xiWuHo6rC9dY; Tue, 09 Apr 2024 20:11:08 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\)) Subject: Re: Sourceware mitigating and preventing the next xz-backdoor From: Paul Koning In-Reply-To: Date: Tue, 9 Apr 2024 16:11:01 -0400 Cc: Andreas Schwab , Michael Matz , Martin Uecker , Ian Lance Taylor , Paul Eggert , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Content-Transfer-Encoding: quoted-printable Message-Id: <62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net> References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de> <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com> <87h6gazafa.fsf@igel.home> To: Jonathon Anderson X-Mailer: Apple Mail (2.3696.120.41.1.8) X-CMAE-Envelope: MS4xfGGgkAyxLN3/vL08Ejxf4diZGgX8TbVupFOS239BJ/0cfzRqYyC4f4zbGaMqmacASw+BiO/J97mQBLQnnDAY4RG5n7V8SoEPSXJ+7kipOlp08xJlo69X wFSQ4apdYF6LczOXa+q3SJpHqCv0+b+VYwVjIRLKTwttA7i9awXotkfVIdJpLKL+CXXgwxarPSRfipP62wbEuI5ytY42gk7kvwQR3tJS7nRx3dNUV/Rxuzea Q78Rg5PvIetCULc8S9lT3nXNNH0ANVG/43NGvY8XhWDJxP8kF55/y0mQzOKj/B8nQqZMFmVNKrSIAySSBuhxQzfXbhIKpl1taVXMUIp1rjPbnfzLTs7l1zCE XfDQOpDQYeDnv1hWcfJVjddTTLh0w5KzseHmoR1LpfD0aJTU9ESTLY1Rzn3HMWNyuahkYTfMRCzPBhHQbg9xhjQtorwg43h39xOasKg8ZmHUPR73ZIaVWKOR /Vo0X2onsRTLx/6e1Egvx2o7+kT1i3erUEpJa3H4PpFH1CcgFq4fUNB7ID45eClmmKSQm8MxKUpXSU9X/1FNhOOsqR7KoiltJtvoqg== X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: > On Apr 9, 2024, at 3:59 PM, Jonathon Anderson via Gcc = wrote: >=20 > On Tue, Apr 9, 2024, 10:57 Andreas Schwab = wrote: >=20 >> On Apr 09 2024, anderson.jonathonm@gmail.com wrote: >>=20 >>> - This xz backdoor injection unpacked attacker-controlled files and = ran >> them during `configure`. Newer build systems implement a build = abstraction >> (aka DSL) that acts similar to a sandbox and enforces rules (e.g. the = only >> code run during `meson setup` is from `meson.build` files and CMake). >> Generally speaking the only way to disobey those rules is via an = "escape" >> command (e.g. `run_command()`) of which there are few. This reduces = the >> task of auditing the build scripts for sandbox-breaking malicious = intent >> significantly, only the "escapes" need investigation and they which >> should(tm) be rare for well-behaved projects. >>=20 >> Just like you can put your backdoor in *.m4 files, you can put them = in >> *.cmake files. >=20 >=20 > CMake has its own sandbox and rules and escapes (granted, much more of > them). But regardless, the injection code would be committed to the > repository (point 2) and would not hold up to a source directory = mounted > read-only (point 3). Why would the injection code necessarily be committed to the repository? = It wasn't in the xz attack -- one hole in the procedures is that the = kits didn't match the repository and no checks caught this. I don't see = how a different build system would cure that issue. Instead, there = needs to be some sort of audit that verifies there aren't rogue or = modified elements in the kit. paul