Re: Remove dependency on libjansson

public inbox for binutils@sourceware.org
 help / color / mirror / Atom feed

From: Michael Matz <matz@suse.de>
To: Orlando Arias <orlandoarias@gmail.com>
Cc: binutils@sourceware.org
Subject: Re: Remove dependency on libjansson
Date: Wed, 3 Apr 2024 16:58:13 +0200 (CEST)	[thread overview]
Message-ID: <c5f0d81f-0447-e9f3-7d75-426ee258179d@suse.de> (raw)
In-Reply-To: <9088ad35-cc8d-4ad8-8b9b-5979dbb7baa1@gmail.com>

Hello,

On Tue, 2 Apr 2024, Orlando Arias wrote:

> Greetings,
> 
> On 4/2/24 5:40 AM, Rui Ueyama wrote:
> > We have discussed various topics already, and I don't think there's a
> > single answer because this is all about engineering tradeoffs.
> > 
> > I'd like to hear from other devs who are following this thread if there are
> > any.
> 
> I am not a developer but I am a security researcher. The dependency as 
> it is should be left in for a simple reason: you should always sanitize 
> your inputs [1].

Indeed.  But note that you're saying something else than what you wanted 
to say :)  For ld the input here is "blob of bytes".  That it's actually 
JSON (or claims to be!) is a matter for the processor of these .note 
sections.  _Those_ need to check the contents of them for being proper 
JSON themself.  They cannot rely on ld having produced "correct" .note 
sections anyway.  They could have been produced by bad tools, or 
retroactively be mangled.

So, as such checking in the consumer tools for the .notes cannot be 
avoided the early checking at producer time is a bit wasteful, and from a 
security perspective achieves exactly nothing.

(FWIW, for openSUSE I've disabled this all (or rather, didn't enable it) 
as I don't want libjansson in the bootstrap pkgbuild cycle just for this. 
Supply chain attacks or similar weren't my reason back then, and aren't 
now :) )

Ciao,
Michael.

next prev parent reply	other threads:[~2024-04-03 14:58 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-04-01  3:31 Rui Ueyama
2024-04-01  7:28 ` Fangrui Song
2024-04-01  9:39   ` Sam James
2024-04-01 10:38     ` Luca Boccassi
2024-04-01 10:44       ` Sam James
2024-04-01 11:44       ` Rui Ueyama
2024-04-01 12:16         ` Luca Boccassi
2024-04-01 13:23           ` Rui Ueyama
2024-04-02  0:54             ` Luca Boccassi
2024-04-02  9:40               ` Rui Ueyama
2024-04-02 13:10                 ` Orlando Arias
2024-04-03 14:58                   ` Michael Matz [this message]
2024-04-03 15:37                     ` Orlando Arias

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c5f0d81f-0447-e9f3-7d75-426ee258179d@suse.de \
    --to=matz@suse.de \
    --cc=binutils@sourceware.org \
    --cc=orlandoarias@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).