From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oa1-x30.google.com (mail-oa1-x30.google.com [IPv6:2001:4860:4864:20::30]) by sourceware.org (Postfix) with ESMTPS id A8F2D3858CD1 for ; Wed, 3 Apr 2024 00:37:54 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A8F2D3858CD1 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A8F2D3858CD1 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:4860:4864:20::30 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712104676; cv=none; b=CmaKzUvBnUzjWsZ11wgHl67amsW9Vx+o1weOQ9XZhZxE1uS3a9rNLn+g8bJQHjL9Q6iOz2bFckKGmjg2ClY9oFPxf4r07bbHjALSzjorZTrZGt/JaS8Py2hOPPRebbLSn3UboJlRnPm4UAqn7WOPQJ6ZS25qKPlsGFBtele65BI= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712104676; c=relaxed/simple; bh=WZMTrKFJQdXY/FrTWfko/7HFfYXsrbMIuaD1+WBadQs=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=liCWKZNBWQhDUGKQfEtuwuDWQX1H3pF4YLa+urMNsYeiECtomHeEt27tEVFPvQmzoe+375UrPgR/62d1W0Y83/FXs4Y6GBvpCuDB/+UXW5B2T3VwCgfvT3tG61mpYmwoEJdFoIJvAcaS0hcDmtQIA7tTL/BkXLez2FqonzCO+eI= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oa1-x30.google.com with SMTP id 586e51a60fabf-222b6a05bb1so4141601fac.3 for ; Tue, 02 Apr 2024 17:37:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712104674; x=1712709474; darn=gcc.gnu.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :reply-to:in-reply-to:references:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=UE0p4vgyVbWprMASzCoWkP+NX6yoVQica1JapFh7H3k=; b=CWVqNJR8ObmD9iCofCoPJT7yG6X4PhFRtSK0r0J7yK1UVAhP/Qj14cOFTEwV7RdgvQ Xjp3o0TwY1UPca6y4OQtDGnSDXl9v4RfOlbspXbb7xTShLznnWUarnrDwK0nHf0uzc+c rhwk9ZgTimgLfCRW6lD46KMUqvxsiCMWLWbfiQN0yZf0C6JEeRo57S+7CMLCJLae04Q0 Zgxh98F0l6+ih43ihawzfjSRMFmt0JdlOzI1Wcbq+vRIEyGI/dhx92ItmjBs7vPpVwQ8 4+aGx8kfRpnVh5q+p3qsv77xONCLsMzqW9nQmUf2eTr5M9pJzp7umVpwlkN4DFkLB/Xr Sy2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712104674; x=1712709474; h=content-transfer-encoding:cc:to:subject:message-id:date:from :reply-to:in-reply-to:references:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=UE0p4vgyVbWprMASzCoWkP+NX6yoVQica1JapFh7H3k=; b=ksbB88oC5j1nJ0JP8ydGt8Pp1aVn55eVplsMBBxADOO27/MOIzNYa57T0Fjrcfzldz hgoTy4hzI0aCObgxb9q+mrxx+DD/R4S5m3OiOOyJ6pJ8ASJhg/KWb105LEj5YgBkqfkJ TX2ZsxaCULLGYBPabz8FXlaa9IxB5+NgayrHFnH5aICQ2o+6beV64ScBSgC7NxL3uRdc BwFbAN+pcOL4RHw+cd/Pw05zolm30i3HzG6xRvuBlbTmVAzX2KYxk2Y6thHTu7Hbj5B6 YaSixeAy2mzhLpc5+P6GvQ4flFaFn9bVcfYPsCNYCweawzrhPSZfPkEzb6yrrRZRx5OY gErg== X-Forwarded-Encrypted: i=1; AJvYcCVhZrSVWQDweuxw4FFbrmdYO3U6dDTMGwJ6qOsEltqeSH42x2p/mmwIVJIHE8xCGnwIt7ga52G5IGrWqPevi94= X-Gm-Message-State: AOJu0YzyoGxxU7TRVusCSRv1ANBz5O8YNbBvC4ciBCQ5Z4i54hwhUV6r JY3xzIuFtxth4+2Kr58oIo+nI7G7BFjK8d/5e0Fu/zPSyYygm4WCt3jHbMFKiaZ6Z5XseKfUWhy WXQqW1ZjoUN5OS51WDfgfvvp8Jnw= X-Google-Smtp-Source: AGHT+IEytH3BaseeltEXjzf57wLChEy+zr0IeOfZQwI0SjbZs/Vc8HRZes7wSLGqNrKLFjXR7BSgwq354z+y1Q36WZU= X-Received: by 2002:a05:6870:1211:b0:22e:83da:e4da with SMTP id 17-20020a056870121100b0022e83dae4damr1215706oan.47.1712104673641; Tue, 02 Apr 2024 17:37:53 -0700 (PDT) MIME-Version: 1.0 References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <077b9dd5-0df1-4384-a9d1-58e4283caf09@redhat.com> <8FA2DDAB-E1BF-4DB8-B7DA-36D41281C1FA@comcast.net> In-Reply-To: <8FA2DDAB-E1BF-4DB8-B7DA-36D41281C1FA@comcast.net> Reply-To: noloader@gmail.com From: Jeffrey Walton Date: Tue, 2 Apr 2024 20:37:25 -0400 Message-ID: Subject: Re: Sourceware mitigating and preventing the next xz-backdoor To: Paul Koning Cc: Guinevere Larsen , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Tue, Apr 2, 2024 at 7:35=E2=80=AFPM Paul Koning via Gdb wrote: > [...] > > I agree that GDB, and for that matter other projects with significant num= bers of contributors, are not nearly as likely to be vulnerable to this sor= t of attack. But I worry that xz may not be the only project that's small = enough to be vulnerable, and be security-relevant in not so obvious ways. This cuts a lot deeper than folks think. Here are two other examples off the top of my head... Other vulnerable projects include ncurses and libnettle. Ncurses is run by Thomas Dickey (https://invisible-island.net/). libnettle is run by Niels M=C3=B6ller (https://www.lysator.liu.se/~nisse/nettle/). Both are one-man shows with no continuity plans. Dickey does not even run a public version control system. You have to download his release tarballs, and there's no history to review or make pull requests against. If DIckey or M=C3=B6ller got hit by a bus crossing the street, there would be problems for years. Jeff > One question that comes to mind is whether there has been an effort acros= s the open source community to identify possible other targets of such atta= cks. Contributions elsewhere by the suspect in this case are an obvious co= ncern, but similar scenarios with different names could also be. That prob= ably should be an ongoing activity: whenever some external component is use= d, it would be worth knowing how it is maintained, and how many eyeballs ar= e involved. Even if this isn't done by everyone, it seems like a proper pr= ecaution for security sensitive projects. > > Another question that comes to mind: I would guess that relevant law enfo= rcement agencies are already looking into this, but it would seem appropria= te for those closest to the attacked software to reach out explicitly and a= ssist in any criminal investigations. > > paul >