From: Martin Uecker <muecker@gwdg.de>
To: Richard Biener <richard.guenther@gmail.com>,
Andrew Sutton <asutton.list@gmail.com>
Cc: Jonathon Anderson <anderson.jonathonm@gmail.com>,
Michael Matz <matz@suse.de>, Ian Lance Taylor <iant@golang.org>,
Paul Koning <paulkoning@comcast.net>,
Paul Eggert <eggert@cs.ucla.edu>,
"Sandra Loosemore" <sloosemore@baylibre.com>,
Mark Wielaard <mark@klomp.org>, <overseers@sourceware.org>,
<gcc@gcc.gnu.org>, <binutils@sourceware.org>,
<gdb@sourceware.org>, <libc-alpha@sourceware.org>
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
Date: Sat, 6 Apr 2024 17:59:34 +0200 [thread overview]
Message-ID: <f32d4b6afcb7dbbaa8284abdd402a763147caabf.camel@gwdg.de> (raw)
In-Reply-To: <CAFiYyc11pjFtSkJbEJqhDN39YKx=XibgDpfZ7xsgS77EDM+1gw@mail.gmail.com>
Am Samstag, dem 06.04.2024 um 15:00 +0200 schrieb Richard Biener:
> On Fri, Apr 5, 2024 at 11:18 PM Andrew Sutton via Gcc <gcc@gcc.gnu.org> wrote:
> >
> > >
> > >
> > >
> > > > I think the key difference here is that Autotools allows arbitrarily
> > > generated code to be executed at any time. More modern build systems
> > > require the use of specific commands/files to run arbitrary code, e.g.
> > > CMake (IIRC [`execute_process()`][2] and [`ExternalProject`][3]), Meson
> > > ([`run_command()`][1]), Cargo ([`build.rs`][4]).\
> > >
> > > To me it seems that Cargo is the absolute worst case with respect to
> > > supply chain attacks.
> > >
> > > It pulls in dependencies recursively from a relatively uncurated
> > > list of projects, puts the source of all those dependencies into a
> > > hidden directory in home, and runs Build.rs automatically with
> > > user permissions.
> > >
> >
> > 100% this. Wait until you learn how proc macros work.
>
> proc macro execution should be heavily sandboxed, otherwise it seems
> compiling something is enough to get arbitrary code executed with the
> permission of the compiling user. I mean it's not rocket science - browsers
> do this for javascript. Hmm, we need a webassembly target ;)
This would be useful anyhow.
And locking down the compiler using landlock to only access specified
files / directories would also be nice in general.
Martin
next prev parent reply other threads:[~2024-04-06 15:59 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-29 20:39 Security warning about xz library compromise Mark Wielaard
2024-04-01 15:06 ` Sourceware mitigating and preventing the next xz-backdoor Mark Wielaard
2024-04-02 19:54 ` Sandra Loosemore
2024-04-02 20:03 ` Paul Eggert
2024-04-02 20:20 ` Paul Koning
2024-04-02 20:28 ` Ian Lance Taylor
2024-04-03 6:26 ` Martin Uecker
2024-04-03 14:00 ` Michael Matz
2024-04-03 14:14 ` Paul Koning
2024-04-03 14:32 ` Martin Uecker
2024-04-03 14:46 ` Jeffrey Walton
2024-04-03 16:02 ` Michael Matz
2024-04-03 16:26 ` Joel Sherrill
2024-04-03 16:32 ` Martin Uecker
2024-04-03 16:51 ` Andreas Schwab
2024-04-03 16:56 ` Jonathan Wakely
2024-04-03 18:46 ` Jonathon Anderson
2024-04-03 19:01 ` Martin Uecker
2024-04-05 21:15 ` Andrew Sutton
2024-04-06 13:00 ` Richard Biener
2024-04-06 15:59 ` Martin Uecker [this message]
2024-04-04 13:59 ` Michael Matz
2024-04-09 16:44 ` anderson.jonathonm
2024-04-09 17:57 ` Andreas Schwab
2024-04-09 19:59 ` Jonathon Anderson
2024-04-09 20:11 ` Paul Koning
2024-04-09 21:40 ` Jeffrey Walton
2024-04-09 21:50 ` Paul Eggert
2024-04-09 21:58 ` Sam James
2024-04-09 22:15 ` Paul Eggert
2024-04-09 22:22 ` Sam James
2024-04-09 22:53 ` Paul Eggert
2024-04-09 22:03 ` Jonathon Anderson
2024-04-09 22:10 ` Sam James
2024-04-09 21:54 ` Jonathon Anderson
2024-04-09 22:00 ` Sam James
2024-04-10 14:09 ` Frank Ch. Eigler
2024-04-10 18:47 ` Jonathon Anderson
2024-04-10 19:00 ` Frank Ch. Eigler
2024-04-10 10:26 ` Claudio Bantaloukas
2024-04-02 22:08 ` Guinevere Larsen
2024-04-02 22:50 ` Jeffrey Walton
2024-04-02 23:20 ` Mark Wielaard
2024-04-02 23:34 ` Paul Koning
2024-04-03 0:37 ` Jeffrey Walton
2024-04-03 8:08 ` Florian Weimer
2024-04-03 13:53 ` Joel Sherrill
2024-04-04 10:25 ` Mark Wielaard
2024-04-10 16:30 ` Alejandro Colomar
2024-04-21 15:30 ` Mark Wielaard
2024-04-21 20:40 ` Alejandro Colomar
2024-04-21 20:52 ` Alejandro Colomar
2024-04-30 11:28 ` Alejandro Colomar
2024-04-03 14:04 ` Tom Tromey
2024-04-03 14:42 ` Jeff Law
2024-04-04 10:48 ` Mark Wielaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f32d4b6afcb7dbbaa8284abdd402a763147caabf.camel@gwdg.de \
--to=muecker@gwdg.de \
--cc=anderson.jonathonm@gmail.com \
--cc=asutton.list@gmail.com \
--cc=binutils@sourceware.org \
--cc=eggert@cs.ucla.edu \
--cc=gcc@gcc.gnu.org \
--cc=gdb@sourceware.org \
--cc=iant@golang.org \
--cc=libc-alpha@sourceware.org \
--cc=mark@klomp.org \
--cc=matz@suse.de \
--cc=overseers@sourceware.org \
--cc=paulkoning@comcast.net \
--cc=richard.guenther@gmail.com \
--cc=sloosemore@baylibre.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).