From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) by sourceware.org (Postfix) with ESMTPS id BAB993858CDA for ; Tue, 9 Apr 2024 19:59:32 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org BAB993858CDA Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org BAB993858CDA Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::f31 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712692778; cv=none; b=i/20BXRsdhwwRMaRdE+SA+4hEcyePcsHaI3Fwh2bTQl44Zvx2SRNw0iHvaVhy7wXIxYBt7bNP0IRa3V4rbpnM/6eryToq7BWLYo5bYpHNxHfrkLkzieYpXq/EfocebS1AovpG3wfnVq2mkXkJ8BRNpinaZlAaA4BKShE5sX9P/c= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712692778; c=relaxed/simple; bh=BD3O4FPF7+O4rmNIHuSl/FHY18mwm4zGw7P2xws75/o=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=Uw53DCDjmvc69eyYf1LLPNM9MumnRPN6cTBWXhdA2thUSJnM9HTQL1cQNOmYzPJG3qHrDpstNe1DAVeP48HO1qEafXSiQdvIKawY309oZSeWTxk2pqyQ6b7iq/OzaYqAHhdCTwGJPD9k6dsOTpCBuDsIe0iir8Y2F/pZSubGP6k= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-qv1-xf31.google.com with SMTP id 6a1803df08f44-6962a97752eso42514946d6.2 for ; Tue, 09 Apr 2024 12:59:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712692772; x=1713297572; darn=gcc.gnu.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=BD3O4FPF7+O4rmNIHuSl/FHY18mwm4zGw7P2xws75/o=; b=LR+pIhn9IzAp8hQ61RTliAMWV+MxiMghUGWojEy6ySL/j85oJmQmOrJQTNsAwsoyOl RwbmGzVSfBBhfk/KxKZF4hDxL3PwoTA8rYUUykMsfggB1SOyROK41EwC/967LAcfQNdC bxFbopLvlh7HBVp84KStAtXsLY4QuRdBvJ1qRumVIVHvQ3br4pIST784yYJKyhIZdY6y eLmzcqlbH/BwmqfAwHqajHyHcXVWHAupxuE9RtCaQWcc+Zd601B6FD4o7rjJi+gHDZxB 8RxvkeWU8yiwqB1lG0hVdTk0tPh5Qs7XxSC2Tn8hVIadEBd4E0m8y3vaDdjmg81tBD1W wqdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712692772; x=1713297572; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BD3O4FPF7+O4rmNIHuSl/FHY18mwm4zGw7P2xws75/o=; b=X/aVNNuuPk7OEoiS25SBwdQnnASRtJHbKW3OpjpwP46Riz28xR6qLs09LzeX7ywW/Z oy27kQ5jSY5eRCl2RJLqFrnN7J23yYFLuR+GkX13RmDBPhqYVIkOxFigQ6psM7rr2vyK /fGfOtEoR4P3hrD6AVlHWtBoR8oUQnu1hmRfvXu6O04ForYIOQi0SxYnM9DKTkpfPkUa El1Mcta20zfiin2AsQcD3oRgh3fkpDcsGdMMo+kftCHJUvTxziqYcaruSFnFTEb70tPe 9C+hXAOpa41kymZ4eFwhaowRbw9WDUkUrRncSuUxL7oVtd3cJcHQpyGc4AgF6Ar0+IkG 7QHA== X-Forwarded-Encrypted: i=1; AJvYcCUaa80+8K/XSdT7h5fkhjcEBxYFcx10KKGzIOOiEH9ISPHMKvCpzNjh+rENt4PXHR412kH+8dmTPDTzL8yfbQo= X-Gm-Message-State: AOJu0YxfweuMOOgzGNERlLW90put7V5ZQdslw76bDVParwmCSJ3gMNhD P0HE88rvxNxo8Cla4/k+xj5KkZaM/7MIen40N8svpltdE/KNQet445mlkrAK0u+1COnpzhP3aSL oJ3qQpvEI+xQCUf3/atgGCCyUHgY= X-Google-Smtp-Source: AGHT+IGR6et04X5jzzoSJQ7K2MQ/ediOfN7LQ+AttpW84NNHzssOLEkkOaDs/aBh/5OYkpSiXdel9r4374OxwBrBaUc= X-Received: by 2002:a05:6214:2421:b0:699:1657:ec68 with SMTP id gy1-20020a056214242100b006991657ec68mr729217qvb.19.1712692771974; Tue, 09 Apr 2024 12:59:31 -0700 (PDT) MIME-Version: 1.0 References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de> <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com> <87h6gazafa.fsf@igel.home> In-Reply-To: <87h6gazafa.fsf@igel.home> From: Jonathon Anderson Date: Tue, 9 Apr 2024 12:59:20 -0700 Message-ID: Subject: Re: Sourceware mitigating and preventing the next xz-backdoor To: Andreas Schwab Cc: Michael Matz , Martin Uecker , Ian Lance Taylor , Paul Koning , Paul Eggert , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Content-Type: multipart/alternative; boundary="0000000000004874d20615af5c7b" X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: --0000000000004874d20615af5c7b Content-Type: text/plain; charset="UTF-8" On Tue, Apr 9, 2024, 10:57 Andreas Schwab wrote: > On Apr 09 2024, anderson.jonathonm@gmail.com wrote: > > > - This xz backdoor injection unpacked attacker-controlled files and ran > them during `configure`. Newer build systems implement a build abstraction > (aka DSL) that acts similar to a sandbox and enforces rules (e.g. the only > code run during `meson setup` is from `meson.build` files and CMake). > Generally speaking the only way to disobey those rules is via an "escape" > command (e.g. `run_command()`) of which there are few. This reduces the > task of auditing the build scripts for sandbox-breaking malicious intent > significantly, only the "escapes" need investigation and they which > should(tm) be rare for well-behaved projects. > > Just like you can put your backdoor in *.m4 files, you can put them in > *.cmake files. CMake has its own sandbox and rules and escapes (granted, much more of them). But regardless, the injection code would be committed to the repository (point 2) and would not hold up to a source directory mounted read-only (point 3). If your build system is Meson, you can easily consider CMake code to be an escape and give it a little more auditing attention. Or just avoid shipping CMake scripts entirely, they are are rarely necessary. -Jonathon > --0000000000004874d20615af5c7b--