From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) by sourceware.org (Postfix) with ESMTP id F0C3D3858D39 for ; Mon, 1 Apr 2024 10:45:03 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org F0C3D3858D39 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gentoo.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gentoo.org ARC-Filter: OpenARC Filter v1.0.0 sourceware.org F0C3D3858D39 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=140.211.166.183 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711968306; cv=none; b=HHXKyAw7dU24f+Et6WRGmwhQXWWmVPIlmx6g2+5iqDPM1HA5RO76zoXw8lX0MmERluqP7Up0KQbBDjN0DjZLnDUJdR4DHo0oIJmS90ACxRMZBAmA8XnZdu0MtDiGcAv0NHehI6uAaFFpZf8QDoEeiQZjw5B0n7pWIj0JsgmFm5g= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711968306; c=relaxed/simple; bh=XIMoe939fSSirJ3iYjeIXI8j5qUBjqTWKZz79T7AR2g=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=Cq8VFoW3Ik054ui9iY979YZinZWVhO+XbZX0jkUx6R/o4Pn18vPHsbO6cnRreIdizlqbcyCn5sipkv3AZeu6QYuVjceGUZvsqoS8JaMnpN+D9dg08WgEItVwzzGXxj4vmPwknmrbgKx/m94RmcEjJje6UFu7VePsa8J4GT4YJiI= ARC-Authentication-Results: i=1; server2.sourceware.org From: Sam James To: Luca Boccassi Cc: Fangrui Song , Rui Ueyama , Binutils Subject: Re: Remove dependency on libjansson In-Reply-To: (Luca Boccassi's message of "Mon, 1 Apr 2024 10:38:25 +0000") Organization: Gentoo References: <877chhe80o.fsf@gentoo.org> User-Agent: mu4e 1.12.2; emacs 30.0.50 Date: Mon, 01 Apr 2024 11:44:59 +0100 Message-ID: <87y19xcqfo.fsf@gentoo.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,JMQ_SPF_NEUTRAL,KAM_DMARC_STATUS,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Luca Boccassi writes: > On Mon, 1 Apr 2024 at 10:50, Sam James wrote: >> >> Fangrui Song writes: >> >> > On Sun, Mar 31, 2024 at 8:31=E2=80=AFPM Rui Ueyama = wrote: >> >> >> >> Hi, >> >> >> >> The recent xz incident demonstrated that supply chain attacks are a >> >> real threat, and dependence on third-party libraries can have >> >> significant consequences. >> >> >> >> In the wake of the incident, I propose we remove the dependency on >> >> libjansson from GNU ld. >> >> >> >> First of all, why does GNU ld depend on libjansson which is a JSON >> >> parsing library? GNU ld gained the `--package-metadata` option in May >> >> 2022 to embed a JSON string into a .note section for package >> >> management for Fedora and other Linux distributions. At the same time, >> >> the dependency on libjansson, a library for parsing JSON-format >> >> strings, was introduced to validate an argument for that option. If an >> >> argument is not a valid JSON string, ld reports an error. If the >> >> library is unavailable, or if `--disable-jansson` was passed to the >> >> configure script, the library will not be linked and the error check >> >> will be disabled. By default, the library will be linked if it exists. >> >> >> >> I opposed adding an extra dependency to GNU ld just for string >> >> verification purposes because it didn't seem worth adding extra >> >> dependency to the linker. LLVM lld and the mold linker also support >> >> the option, but they do not verify if the argument is a valid JSON >> >> string -- they simply treat it as an opaque string. If libjansson is >> >> unavailable, even GNU ld doesn't verify arguments. Therefore, the >> >> verification is not trustworthy, and the reader must be prepared for a >> >> malformed JSON string when reading a .note section. Moreover, >> >> verifying a string is straightforward without the feature; you can >> >> simply `echo` the string to pipe it to `jq` for verification before >> >> passing it to GNU ld. >> >> >> >> I just checked /usr/bin/ld on Ubuntu 24.04, which is set to be >> >> released this month, and the dependency on libjansson was indeed >> >> present. >> >> >> >> How much risk does it pose? Probably not much, as long as the library >> >> is maintained properly. However, the stakes are high; if someone takes >> >> control of the library and introduces malicious code, they could >> >> execute a Ken Thompson-style supply chain attack. Since GNU ld is used >> >> to build essentially everything, the attacker could in theory gain the >> >> power to not just contaminate a specific program such as openssh, but >> >> every executable in an official Linux distribution image. I think the >> >> risk is not worth taking. I believe we just should remove the string >> >> verification code and the dependency on the library from GNU ld. >> >> >> >> Rui Ueyama >> > >> > Thanks for bringing this up again. I support removing the json depende= ncy. >> > >> > I lightly expressed my concern >> > https://sourceware.org/pipermail/binutils/2022-May/120846.html and >> > there might be others unsure about the dependency as well. >> >> I'd like to hear bluca's take before making up my mind. Note that it's >> also automagic right now IIRC (enabled if installed, not opt-in). >> >> But my take on it so far is that it doesn't sound worth it. > [...] > So if it was removed upstream, we'd just have to patch it back in > downstream in each interested distro - which if you recall, was > exactly how sshd was exploited, due to the lack of an upstream common > implementation. This is opt-in, so distributions that are not > interested can just avoid enabling it, with no extra effort required. > So please, leave it as-is. Thank you. (Yeah, I just checked, it's indeed off-by-default and I'm sorry I misrecalled. Doesn't really bother me then.)