From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-out.m-online.net (mail-out.m-online.net [212.18.0.10]) by sourceware.org (Postfix) with ESMTPS id B48023858D20; Tue, 9 Apr 2024 17:57:22 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org B48023858D20 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=linux-m68k.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=nefkom.net ARC-Filter: OpenARC Filter v1.0.0 sourceware.org B48023858D20 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=212.18.0.10 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712685444; cv=none; b=TLKXsNH5o1aZ/qRNydtKbpNG5rWx8u1JABD2RJKwBsB2ed8nSHvrzQ4oHU4qjPjsr/3Z4Qc7jYiNqDcQAAw/TQX1qtjcCFmzuuWRgUZHaz+cx44Lh0z6RE9yEmJ4N32TQx+kTF+NLWg9hA/jnhDOpp4SoXhE3rqeEpgPouLVk3k= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712685444; c=relaxed/simple; bh=3vn+P90I2c/dDTQ8NK2SjzoZ06vXZWp0Kc4aLAbYjao=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=FQ6aeznIG5RwhSypvH97b35Yn/ZeB2eC8/2LqCcdODSwUm2Qc4ZcKNA90tlnXd/PUPSfeQFshavXPL2uke8Jiip++t5K7IlIPqsAuZp8084Y7bqoc/j3e2/yXJlXk0/yztdpFWDFaOZiuLUbSTPPeoEqJ+d3ifNEYP1gCdTUpuM= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from frontend01.mail.m-online.net (unknown [192.168.8.182]) by mail-out.m-online.net (Postfix) with ESMTP id 4VDYZM663Hz1sNNG; Tue, 9 Apr 2024 19:57:15 +0200 (CEST) Received: from localhost (dynscan1.mnet-online.de [192.168.6.68]) by mail.m-online.net (Postfix) with ESMTP id 4VDYZM49kwz1qqlS; Tue, 9 Apr 2024 19:57:15 +0200 (CEST) X-Virus-Scanned: amavis at mnet-online.de Received: from mail.mnet-online.de ([192.168.8.182]) by localhost (dynscan1.mail.m-online.net [192.168.6.68]) (amavis, port 10024) with ESMTP id ILBdo9HkjAKO; Tue, 9 Apr 2024 19:57:13 +0200 (CEST) X-Auth-Info: mTbQbJYZ0U7Vr9bFdb05KpB4kYI46lLATgFlS4PoY4wbJW32aiVcnah6rfF2m/NE Received: from igel.home (aftr-82-135-83-117.dynamic.mnet-online.de [82.135.83.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.mnet-online.de (Postfix) with ESMTPSA; Tue, 9 Apr 2024 19:57:13 +0200 (CEST) Received: by igel.home (Postfix, from userid 1000) id 5F6AC2C1A00; Tue, 9 Apr 2024 19:57:13 +0200 (CEST) From: Andreas Schwab To: anderson.jonathonm@gmail.com Cc: Michael Matz , Martin Uecker , Ian Lance Taylor , Paul Koning , Paul Eggert , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Subject: Re: Sourceware mitigating and preventing the next xz-backdoor In-Reply-To: <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com> (anderson jonathonm's message of "Tue, 09 Apr 2024 09:44:20 -0700") References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de> <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com> X-Yow: Yow! We're going to a new disco! Date: Tue, 09 Apr 2024 19:57:13 +0200 Message-ID: <87h6gazafa.fsf@igel.home> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,HEADER_FROM_DIFFERENT_DOMAINS,KAM_DMARC_STATUS,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Apr 09 2024, anderson.jonathonm@gmail.com wrote: > - This xz backdoor injection unpacked attacker-controlled files and ran them during `configure`. Newer build systems implement a build abstraction (aka DSL) that acts similar to a sandbox and enforces rules (e.g. the only code run during `meson setup` is from `meson.build` files and CMake). Generally speaking the only way to disobey those rules is via an "escape" command (e.g. `run_command()`) of which there are few. This reduces the task of auditing the build scripts for sandbox-breaking malicious intent significantly, only the "escapes" need investigation and they which should(tm) be rare for well-behaved projects. Just like you can put your backdoor in *.m4 files, you can put them in *.cmake files. -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."