From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from resqmta-c2p-570641.sys.comcast.net (resqmta-c2p-570641.sys.comcast.net [IPv6:2001:558:fd00:56::9]) by sourceware.org (Postfix) with ESMTPS id 8DAA1385840F for ; Tue, 9 Apr 2024 20:11:09 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 8DAA1385840F Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=comcast.net Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=comcast.net ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 8DAA1385840F Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:558:fd00:56::9 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712693472; cv=none; b=YrL3953p60K3QA42+rMV+QhseusGcCoFYx1EP20kLHLiDTtLolsAE98mjc7qc9PwsisEDN/lLIOeMwi+v4TegRaHwuG8EL6Ja1D6tSsAamab/lcExpCIl2unjrVzP7PHYmxYFIYfzfgaFyuRhgtcEz+7WMeFdI9rp5G6Otb/sxQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712693472; c=relaxed/simple; bh=jrJpVQ2QRmVlk3HL5UFOMbKhMCoa99ZVGBSwB6P3uN8=; h=DKIM-Signature:Mime-Version:Subject:From:Date:Message-Id:To; b=OF1h63bAK1CX0CC9pqfARo4OcpO60vst8DPq9ISl0G513iUmLYvDyfvH3gNVLQEIMfUQVv5QPoxu9yo8ooyp/3Ng6Id4wJ37dTfqFiYtmiB+IKVVUYbkDSw3Ya+RCVTgHkGqfHAKEaiUuP6T4oTHavPsztqQMWvg0PvX+M9qDKw= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from resomta-c2p-555441.sys.comcast.net ([96.102.18.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resqmta-c2p-570641.sys.comcast.net with ESMTPS id uHfaruOaGnkTCuHoCrFUBR; Tue, 09 Apr 2024 20:11:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=20190202a; t=1712693468; bh=6RsKKwNQdqCvIart7iH73aFwghAYt/SEycgOsTwsMjQ=; h=Received:Received:Content-Type:Mime-Version:Subject:From:Date: Message-Id:To:Xfinity-Spam-Result; b=pn3Qn0b5ROApT2025BT9V4JIjatnV9nO0EFCEBS5RdbmIzOaU2nja1FYzh4j8wQ/H UpoZYjUQYHAMDl3Cw7TKvWC8l7uAW5sjRtTlDGch1g7/xfFAX0lm72OHxhoTgBDMTH /C6iGHtbRoB363k9ng1uqxb3qiAOB0o9M7mPr0D0cLWOAh7FqUD3ImvxtBxVBkVUUP 5JfRVmniuJlxzSfUwVM7k7/2zNnq0qM3+EIFby6M3lzkBvVzv5z9iqk7m0nNP6KZwE gJRyjN4kZBIUEwHNplXH3lUXiNI8HY6YUw6VNV8JcCnPH0zFy1Aerh9yev+bciyT1e t51kbC9nlIhcw== Received: from smtpclient.apple ([73.60.223.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resomta-c2p-555441.sys.comcast.net with ESMTPSA id uHo5rLt8Q8xiWuHo6rC9dY; Tue, 09 Apr 2024 20:11:08 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\)) Subject: Re: Sourceware mitigating and preventing the next xz-backdoor From: Paul Koning In-Reply-To: Date: Tue, 9 Apr 2024 16:11:01 -0400 Cc: Andreas Schwab , Michael Matz , Martin Uecker , Ian Lance Taylor , Paul Eggert , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Content-Transfer-Encoding: quoted-printable Message-Id: <62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net> References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de> <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com> <87h6gazafa.fsf@igel.home> To: Jonathon Anderson X-Mailer: Apple Mail (2.3696.120.41.1.8) X-CMAE-Envelope: MS4xfGGgkAyxLN3/vL08Ejxf4diZGgX8TbVupFOS239BJ/0cfzRqYyC4f4zbGaMqmacASw+BiO/J97mQBLQnnDAY4RG5n7V8SoEPSXJ+7kipOlp08xJlo69X wFSQ4apdYF6LczOXa+q3SJpHqCv0+b+VYwVjIRLKTwttA7i9awXotkfVIdJpLKL+CXXgwxarPSRfipP62wbEuI5ytY42gk7kvwQR3tJS7nRx3dNUV/Rxuzea Q78Rg5PvIetCULc8S9lT3nXNNH0ANVG/43NGvY8XhWDJxP8kF55/y0mQzOKj/B8nQqZMFmVNKrSIAySSBuhxQzfXbhIKpl1taVXMUIp1rjPbnfzLTs7l1zCE XfDQOpDQYeDnv1hWcfJVjddTTLh0w5KzseHmoR1LpfD0aJTU9ESTLY1Rzn3HMWNyuahkYTfMRCzPBhHQbg9xhjQtorwg43h39xOasKg8ZmHUPR73ZIaVWKOR /Vo0X2onsRTLx/6e1Egvx2o7+kT1i3erUEpJa3H4PpFH1CcgFq4fUNB7ID45eClmmKSQm8MxKUpXSU9X/1FNhOOsqR7KoiltJtvoqg== X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: > On Apr 9, 2024, at 3:59 PM, Jonathon Anderson via Gcc = wrote: >=20 > On Tue, Apr 9, 2024, 10:57 Andreas Schwab = wrote: >=20 >> On Apr 09 2024, anderson.jonathonm@gmail.com wrote: >>=20 >>> - This xz backdoor injection unpacked attacker-controlled files and = ran >> them during `configure`. Newer build systems implement a build = abstraction >> (aka DSL) that acts similar to a sandbox and enforces rules (e.g. the = only >> code run during `meson setup` is from `meson.build` files and CMake). >> Generally speaking the only way to disobey those rules is via an = "escape" >> command (e.g. `run_command()`) of which there are few. This reduces = the >> task of auditing the build scripts for sandbox-breaking malicious = intent >> significantly, only the "escapes" need investigation and they which >> should(tm) be rare for well-behaved projects. >>=20 >> Just like you can put your backdoor in *.m4 files, you can put them = in >> *.cmake files. >=20 >=20 > CMake has its own sandbox and rules and escapes (granted, much more of > them). But regardless, the injection code would be committed to the > repository (point 2) and would not hold up to a source directory = mounted > read-only (point 3). Why would the injection code necessarily be committed to the repository? = It wasn't in the xz attack -- one hole in the procedures is that the = kits didn't match the repository and no checks caught this. I don't see = how a different build system would cure that issue. Instead, there = needs to be some sort of audit that verifies there aren't rogue or = modified elements in the kit. paul