From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) by sourceware.org (Postfix) with ESMTP id 1E8383858D32 for ; Mon, 1 Apr 2024 09:39:56 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 1E8383858D32 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gentoo.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gentoo.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 1E8383858D32 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=140.211.166.183 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711964398; cv=none; b=VVdGD5LGd/YHPKnpGnGA86E6JkWN6fygLHBOP8zX+4l+npFVV5v7S+or5/2vmuYNkpHxaNPgU/i0PclwhH6LRGQSPwMkOnd3eHNsBPUSCUYtthk3TiLf1hMyzuCimKEH36uHYUJR7wk0N/K6Y03I55/sHP5BiZ/ReNL7d6vzdi8= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711964398; c=relaxed/simple; bh=Z465LbkK5RuVyfVnjprU7LZB5V+xTnYBkp6NptkCn44=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=vrONKqpP4MsDHqsStGlOM5BMI87Lwf0IxN+qikJ017tbCApObQmzisVuXXxWl6KXknbF7lyTKCb8qh06izHEjV8QYr2QkjGkSyBWR//eOh58ZCVuwXFbsddAzhhA+u6v6c5htdmeZJGNbvrqAEwh/ReOZs8A+0yOglm8GKluJXo= ARC-Authentication-Results: i=1; server2.sourceware.org From: Sam James To: Fangrui Song Cc: Rui Ueyama , Binutils , Luca Boccassi Subject: Re: Remove dependency on libjansson In-Reply-To: (Fangrui Song's message of "Mon, 1 Apr 2024 00:28:43 -0700") Organization: Gentoo References: User-Agent: mu4e 1.12.2; emacs 30.0.50 Date: Mon, 01 Apr 2024 10:39:51 +0100 Message-ID: <877chhe80o.fsf@gentoo.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Fangrui Song writes: > On Sun, Mar 31, 2024 at 8:31=E2=80=AFPM Rui Ueyama wro= te: >> >> Hi, >> >> The recent xz incident demonstrated that supply chain attacks are a >> real threat, and dependence on third-party libraries can have >> significant consequences. >> >> In the wake of the incident, I propose we remove the dependency on >> libjansson from GNU ld. >> >> First of all, why does GNU ld depend on libjansson which is a JSON >> parsing library? GNU ld gained the `--package-metadata` option in May >> 2022 to embed a JSON string into a .note section for package >> management for Fedora and other Linux distributions. At the same time, >> the dependency on libjansson, a library for parsing JSON-format >> strings, was introduced to validate an argument for that option. If an >> argument is not a valid JSON string, ld reports an error. If the >> library is unavailable, or if `--disable-jansson` was passed to the >> configure script, the library will not be linked and the error check >> will be disabled. By default, the library will be linked if it exists. >> >> I opposed adding an extra dependency to GNU ld just for string >> verification purposes because it didn't seem worth adding extra >> dependency to the linker. LLVM lld and the mold linker also support >> the option, but they do not verify if the argument is a valid JSON >> string -- they simply treat it as an opaque string. If libjansson is >> unavailable, even GNU ld doesn't verify arguments. Therefore, the >> verification is not trustworthy, and the reader must be prepared for a >> malformed JSON string when reading a .note section. Moreover, >> verifying a string is straightforward without the feature; you can >> simply `echo` the string to pipe it to `jq` for verification before >> passing it to GNU ld. >> >> I just checked /usr/bin/ld on Ubuntu 24.04, which is set to be >> released this month, and the dependency on libjansson was indeed >> present. >> >> How much risk does it pose? Probably not much, as long as the library >> is maintained properly. However, the stakes are high; if someone takes >> control of the library and introduces malicious code, they could >> execute a Ken Thompson-style supply chain attack. Since GNU ld is used >> to build essentially everything, the attacker could in theory gain the >> power to not just contaminate a specific program such as openssh, but >> every executable in an official Linux distribution image. I think the >> risk is not worth taking. I believe we just should remove the string >> verification code and the dependency on the library from GNU ld. >> >> Rui Ueyama > > Thanks for bringing this up again. I support removing the json dependency. > > I lightly expressed my concern > https://sourceware.org/pipermail/binutils/2022-May/120846.html and > there might be others unsure about the dependency as well. I'd like to hear bluca's take before making up my mind. Note that it's also automagic right now IIRC (enabled if installed, not opt-in). But my take on it so far is that it doesn't sound worth it.