From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from resdmta-c2p-547356.sys.comcast.net (resdmta-c2p-547356.sys.comcast.net [IPv6:2001:558:fd00:56::d]) by sourceware.org (Postfix) with ESMTPS id BEF8A3858CDA for ; Tue, 9 Apr 2024 20:11:09 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org BEF8A3858CDA Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=comcast.net Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=comcast.net ARC-Filter: OpenARC Filter v1.0.0 sourceware.org BEF8A3858CDA Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:558:fd00:56::d ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712693472; cv=none; b=XDf20SNXLAM3mxgEvIx+b0rZf3/cHJB/B51QblPI9/0aglqMH/rQ9QdT6/vU+/k7zef0dF366G4NIaKRY6zB7/GJ6/9MzYhtvFO9rbngygwkU/SW8A3CrANJI91LlNz4wtM1Uue7dvFrKr3Gb1p/hxwxgqyJioT61t/GZ46SaNw= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712693472; c=relaxed/simple; bh=jrJpVQ2QRmVlk3HL5UFOMbKhMCoa99ZVGBSwB6P3uN8=; h=DKIM-Signature:Mime-Version:Subject:From:Date:Message-Id:To; b=I7Q/rsx53wORDyCLIhE5foOmfjv8qFMxyf8vOgub6M4TlP/CYil+t9VlhxQC0mNvaL/aCDIDVBTnbn+w4TT7RX+gVpcZrZclwTCnX1lDlrYKhn1zgENvR2iCYrlsUlxgc+/RXW8SnTru3XBhyyf/2nd9axxG7tgLdJHwNemDkTY= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from resomta-c2p-555441.sys.comcast.net ([96.102.18.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resdmta-c2p-547356.sys.comcast.net with ESMTPS id uHfarobpgi26luHoCrinRG; Tue, 09 Apr 2024 20:11:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=20190202a; t=1712693468; bh=6RsKKwNQdqCvIart7iH73aFwghAYt/SEycgOsTwsMjQ=; h=Received:Received:Content-Type:Mime-Version:Subject:From:Date: Message-Id:To:Xfinity-Spam-Result; b=LDfbQ2HemAx2n9z7XQwszC/mncQBAf7mKNhUwUOuIV664CzmB7imloNvBrxMUIgVJ rFCDUDitH7EsXQ915PPqBpCEVWjignSESBp+viAqwRV+WkBhG0hsL9HqS/M3DWJvCq ggczrNKFEeenxVXKgoOF5oTVyQHaXeR9nv9yqrUoM+k3/CGDbthzbgc6Zb/Q1gifIm Lg9Ni6XCoQ599yi4HFPDnpzE8p+1FPWJwzBSMnbrVq4VYXQ2BbZj2C+UCIKHTCbC8e fFQUYaCiNty+j+v+Fb3B6QG187apDYi2BEKkIMlOiwmfFyIDmr2arcf/hg3Gd+zvje 1ZX1KT3TOxBqw== Received: from smtpclient.apple ([73.60.223.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resomta-c2p-555441.sys.comcast.net with ESMTPSA id uHo5rLt8Q8xiWuHo6rC9dY; Tue, 09 Apr 2024 20:11:08 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\)) Subject: Re: Sourceware mitigating and preventing the next xz-backdoor From: Paul Koning In-Reply-To: Date: Tue, 9 Apr 2024 16:11:01 -0400 Cc: Andreas Schwab , Michael Matz , Martin Uecker , Ian Lance Taylor , Paul Eggert , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Content-Transfer-Encoding: quoted-printable Message-Id: <62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net> References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de> <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com> <87h6gazafa.fsf@igel.home> To: Jonathon Anderson X-Mailer: Apple Mail (2.3696.120.41.1.8) X-CMAE-Envelope: MS4xfGGgkAyxLN3/vL08Ejxf4diZGgX8TbVupFOS239BJ/0cfzRqYyC4f4zbGaMqmacASw+BiO/J97mQBLQnnDAY4RG5n7V8SoEPSXJ+7kipOlp08xJlo69X wFSQ4apdYF6LczOXa+q3SJpHqCv0+b+VYwVjIRLKTwttA7i9awXotkfVIdJpLKL+CXXgwxarPSRfipP62wbEuI5ytY42gk7kvwQR3tJS7nRx3dNUV/Rxuzea Q78Rg5PvIetCULc8S9lT3nXNNH0ANVG/43NGvY8XhWDJxP8kF55/y0mQzOKj/B8nQqZMFmVNKrSIAySSBuhxQzfXbhIKpl1taVXMUIp1rjPbnfzLTs7l1zCE XfDQOpDQYeDnv1hWcfJVjddTTLh0w5KzseHmoR1LpfD0aJTU9ESTLY1Rzn3HMWNyuahkYTfMRCzPBhHQbg9xhjQtorwg43h39xOasKg8ZmHUPR73ZIaVWKOR /Vo0X2onsRTLx/6e1Egvx2o7+kT1i3erUEpJa3H4PpFH1CcgFq4fUNB7ID45eClmmKSQm8MxKUpXSU9X/1FNhOOsqR7KoiltJtvoqg== X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: > On Apr 9, 2024, at 3:59 PM, Jonathon Anderson via Gcc = wrote: >=20 > On Tue, Apr 9, 2024, 10:57 Andreas Schwab = wrote: >=20 >> On Apr 09 2024, anderson.jonathonm@gmail.com wrote: >>=20 >>> - This xz backdoor injection unpacked attacker-controlled files and = ran >> them during `configure`. Newer build systems implement a build = abstraction >> (aka DSL) that acts similar to a sandbox and enforces rules (e.g. the = only >> code run during `meson setup` is from `meson.build` files and CMake). >> Generally speaking the only way to disobey those rules is via an = "escape" >> command (e.g. `run_command()`) of which there are few. This reduces = the >> task of auditing the build scripts for sandbox-breaking malicious = intent >> significantly, only the "escapes" need investigation and they which >> should(tm) be rare for well-behaved projects. >>=20 >> Just like you can put your backdoor in *.m4 files, you can put them = in >> *.cmake files. >=20 >=20 > CMake has its own sandbox and rules and escapes (granted, much more of > them). But regardless, the injection code would be committed to the > repository (point 2) and would not hold up to a source directory = mounted > read-only (point 3). Why would the injection code necessarily be committed to the repository? = It wasn't in the xz attack -- one hole in the procedures is that the = kits didn't match the repository and no checks caught this. I don't see = how a different build system would cure that issue. Instead, there = needs to be some sort of audit that verifies there aren't rogue or = modified elements in the kit. paul