Re: Sourceware mitigating and preventing the next xz-backdoor

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

From: Paul Koning <paulkoning@comcast.net>
To: Michael Matz <matz@suse.de>
Cc: Martin Uecker <uecker@tugraz.at>,
	Ian Lance Taylor <iant@golang.org>,
	Paul Eggert <eggert@cs.ucla.edu>,
	Sandra Loosemore <sloosemore@baylibre.com>,
	Mark Wielaard <mark@klomp.org>,
	overseers@sourceware.org, gcc@gcc.gnu.org,
	binutils@sourceware.org, gdb@sourceware.org,
	libc-alpha@sourceware.org
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
Date: Wed, 3 Apr 2024 10:14:53 -0400	[thread overview]
Message-ID: <EE312D3A-5A0D-4679-8E45-EB8E7F49AA5E@comcast.net> (raw)
In-Reply-To: <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de>

> On Apr 3, 2024, at 10:00 AM, Michael Matz <matz@suse.de> wrote:
> 
> Hello,
> 
> On Wed, 3 Apr 2024, Martin Uecker via Gcc wrote:
> 
>>>> Seems reasonable, but note that it wouldn't make any difference to
>>>> this attack.  The liblzma library was modified to corrupt the sshd
>>>> binary, when sshd was linked against liblzma.  The actual attack
>>>> occurred via a connection to a corrupt sshd.  If sshd was running as
>>>> root, as is normal, the attacker had root access to the machine.  None
>>>> of the attacking steps had anything to do with having root access
>>>> while building or installing the program.
>> 
>> There does not seem a single good solution against something like this.
>> 
>> My take a way is that software needs to become less complex. Do 
>> we really still need complex build systems such as autoconf?
> 
> Do we really need complex languages like C++ to write our software in?  
> SCNR :)  Complexity lies in the eye of the beholder, but to be honest in 
> the software that we're dealing with here, the build system or autoconf 
> does _not_ come to mind first when thinking about complexity.
> 
> (And, FWIW, testing for features isn't "complex".  And have you looked at 
> other build systems?  I have, and none of them are less complex, just 
> opaque in different ways from make+autotools).
> 
> Ciao,
> Michael.

I would tend to agree with that even given my limited exposure to alternatives.

One aspect of the present attack that needs to be cured is that -- as I understand it -- the open source repository was fine but the kit as distributed had been subverted.  In other words, the standard assumption that the repository actually corresponds to the released code was not valid.  And furthermore, that it wasn't unusual for the kit to contain different or additional elements, just that it wasn't supposed to differ in malicious ways.

One possible answer is for all elements of kits to be made explicitly visible, though generated files probably don't want to be held in a normal source control system.  Another possible answer is for consumers of kits to treat kits as suspect, and have them unpacked and examined -- including any elements not source controlled -- before acceptance.  I think the first option is better because it exposes these additional elements to ongoing scrutiny from the entire community, rather than only one-time inspection by release managers who are probably quite pressed for time.

Either way, the reasons for these extra files to exist and the manner in which they are supposed to be generated would need to be both well documented and readily reproducible by outside parties.

	paul

next prev parent reply	other threads:[~2024-04-03 14:14 UTC|newest]

Thread overview: 56+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-29 20:39 Security warning about xz library compromise Mark Wielaard
2024-04-01 15:06 ` Sourceware mitigating and preventing the next xz-backdoor Mark Wielaard
2024-04-02 19:54   ` Sandra Loosemore
2024-04-02 20:03     ` Paul Eggert
2024-04-02 20:20       ` Paul Koning
2024-04-02 20:28         ` Ian Lance Taylor
2024-04-03  6:26           ` Martin Uecker
2024-04-03 14:00             ` Michael Matz
2024-04-03 14:14               ` Paul Koning [this message]
2024-04-03 14:32               ` Martin Uecker
2024-04-03 14:46                 ` Jeffrey Walton
2024-04-03 16:02                 ` Michael Matz
2024-04-03 16:26                   ` Joel Sherrill
2024-04-03 16:32                   ` Martin Uecker
2024-04-03 16:51                 ` Andreas Schwab
2024-04-03 16:56                 ` Jonathan Wakely
2024-04-03 18:46               ` Jonathon Anderson
2024-04-03 19:01                 ` Martin Uecker
2024-04-05 21:15                   ` Andrew Sutton
2024-04-06 13:00                     ` Richard Biener
2024-04-06 15:59                       ` Martin Uecker
2024-04-04 13:59                 ` Michael Matz
2024-04-09 16:44                   ` anderson.jonathonm
2024-04-09 17:57                     ` Andreas Schwab
2024-04-09 19:59                       ` Jonathon Anderson
2024-04-09 20:11                         ` Paul Koning
2024-04-09 21:40                           ` Jeffrey Walton
2024-04-09 21:50                             ` Paul Eggert
2024-04-09 21:58                               ` Sam James
2024-04-09 22:15                                 ` Paul Eggert
2024-04-09 22:22                                   ` Sam James
2024-04-09 22:53                                     ` Paul Eggert
2024-04-09 22:03                               ` Jonathon Anderson
2024-04-09 22:10                                 ` Sam James
2024-04-09 21:54                           ` Jonathon Anderson
2024-04-09 22:00                             ` Sam James
2024-04-10 14:09                             ` Frank Ch. Eigler
2024-04-10 18:47                               ` Jonathon Anderson
2024-04-10 19:00                                 ` Frank Ch. Eigler
2024-04-10 10:26                       ` Claudio Bantaloukas
2024-04-02 22:08     ` Guinevere Larsen
2024-04-02 22:50       ` Jeffrey Walton
2024-04-02 23:20       ` Mark Wielaard
2024-04-02 23:34       ` Paul Koning
2024-04-03  0:37         ` Jeffrey Walton
2024-04-03  8:08       ` Florian Weimer
2024-04-03 13:53         ` Joel Sherrill
2024-04-04 10:25           ` Mark Wielaard
2024-04-10 16:30           ` Alejandro Colomar
2024-04-21 15:30             ` Mark Wielaard
2024-04-21 20:40               ` Alejandro Colomar
2024-04-21 20:52                 ` Alejandro Colomar
2024-04-30 11:28                 ` Alejandro Colomar
2024-04-03 14:04         ` Tom Tromey
2024-04-03 14:42           ` Jeff Law
2024-04-04 10:48             ` Mark Wielaard

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=EE312D3A-5A0D-4679-8E45-EB8E7F49AA5E@comcast.net \
    --to=paulkoning@comcast.net \
    --cc=binutils@sourceware.org \
    --cc=eggert@cs.ucla.edu \
    --cc=gcc@gcc.gnu.org \
    --cc=gdb@sourceware.org \
    --cc=iant@golang.org \
    --cc=libc-alpha@sourceware.org \
    --cc=mark@klomp.org \
    --cc=matz@suse.de \
    --cc=overseers@sourceware.org \
    --cc=sloosemore@baylibre.com \
    --cc=uecker@tugraz.at \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).