From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx-2023-1.gwdg.de (mx-2023-1.gwdg.de [134.76.10.21]) by sourceware.org (Postfix) with ESMTPS id DA6363858D33; Sat, 6 Apr 2024 15:59:42 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org DA6363858D33 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gwdg.de Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gwdg.de ARC-Filter: OpenARC Filter v1.0.0 sourceware.org DA6363858D33 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=134.76.10.21 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712419184; cv=none; b=f22lesrDcPr00v2OKFwzg22g317u8tbHxQBP840Q61kEBf1SvmqiZsEsfy48ziSXuXDZIgjYvpuDJloJ7DPsPOlj1p1IsPrjM1RRzTwti+1DwUqXrE4HYRyXoJo5WYkSQBffZ6/Xdq3HboojhcglJB3Jx7yYFl41SgnIUEatlf0= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712419184; c=relaxed/simple; bh=C61zb2b1ic8/viTWyE20qNvwjzPHh4W+Qn83nVq5TIQ=; h=DKIM-Signature:Message-ID:Subject:From:To:Date:MIME-Version; b=Ht/zAw6aL+Ct8HCnCVc0i1zK9ElTd/Teg6SY4D1w77DJBlSHDxOVAfXH8rtM6y4R3sAFmSaU/JZqyHUMUIL0ZhLdiJk3Gzub+9MssQidqkByYj/D4OpCAIHW4+Di8zbfYww8+F+AfFLcC2fy6Cp1OjcUNZ47ZnAtKHkT+TKzL9Q= ARC-Authentication-Results: i=1; server2.sourceware.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gwdg.de; s=2023-rsa; h=MIME-Version:Content-Transfer-Encoding:Content-Type:References: In-Reply-To:Date:CC:To:From:Subject:Message-ID:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CdET5CCxQRkY66Bx0umXhiNLe/NdvGAbX+sDieRCWmI=; b=oB4dZrjqlinbJB8iSH6q2s30PC fCr1dTtVrztafqJWQQ3YfFS3FbOJgWft6EnXOQ5DoE3eISRoIHqkGbBH+DcuIpwZpP7214D+KlkXI YCs9rKZkM3wGKuBQ6VoJsbRSydj8wgfQO4mg4DNjSY7UOR6Pd2ZbXRSQYHM6E3tq9GH/eol0N7eMF BzUPFVlIi4Ijr9OtnHp6/u1Ybun29sWZN+hEuTATni3LOCh7BCwC65ziySjiXf0W24IFtPKLcZJTm 0x4FQe7I04X8QO724PPm8o+MRMA3m0u4GPFo/2p7VJlimyqXX7mseJdV1GjLdPvNsk2bIeUhN1tB8 8Ja8CWMQ==; Received: from xmailer.gwdg.de ([134.76.10.29]:33574) by mailer.gwdg.de with esmtp (GWDG Mailer) (envelope-from ) id 1rt8S7-006quf-2z; Sat, 06 Apr 2024 17:59:36 +0200 Received: from excmbx-29.um.gwdg.de ([134.76.9.204] helo=email.gwdg.de) by mailer.gwdg.de with esmtp (GWDG Mailer) (envelope-from ) id 1rt8S7-0001nN-2B; Sat, 06 Apr 2024 17:59:36 +0200 Received: from vra-170-64.tugraz.at (10.250.9.199) by EXCMBX-29.um.gwdg.de (134.76.9.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.37; Sat, 6 Apr 2024 17:59:35 +0200 Message-ID: Subject: Re: Sourceware mitigating and preventing the next xz-backdoor From: Martin Uecker To: Richard Biener , Andrew Sutton CC: Jonathon Anderson , Michael Matz , Ian Lance Taylor , Paul Koning , Paul Eggert , "Sandra Loosemore" , Mark Wielaard , , , , , Date: Sat, 6 Apr 2024 17:59:34 +0200 In-Reply-To: References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <8d84f989031aa34eae919f8ff2d3cb4e60faf6a7.camel@gwdg.de> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4-2 MIME-Version: 1.0 X-Originating-IP: [10.250.9.199] X-ClientProxiedBy: EXCMBX-19.um.gwdg.de (134.76.9.203) To EXCMBX-29.um.gwdg.de (134.76.9.204) X-Virus-Scanned: (clean) by clamav X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Am Samstag, dem 06.04.2024 um 15:00 +0200 schrieb Richard Biener: > On Fri, Apr 5, 2024 at 11:18=E2=80=AFPM Andrew Sutton via Gcc wrote: > >=20 > > >=20 > > >=20 > > >=20 > > > > I think the key difference here is that Autotools allows arbitraril= y > > > generated code to be executed at any time. More modern build systems > > > require the use of specific commands/files to run arbitrary code, e.g= . > > > CMake (IIRC [`execute_process()`][2] and [`ExternalProject`][3]), Mes= on > > > ([`run_command()`][1]), Cargo ([`build.rs`][4]).\ > > >=20 > > > To me it seems that Cargo is the absolute worst case with respect to > > > supply chain attacks. > > >=20 > > > It pulls in dependencies recursively from a relatively uncurated > > > list of projects, puts the source of all those dependencies into a > > > hidden directory in home, and runs Build.rs automatically with > > > user permissions. > > >=20 > >=20 > > 100% this. Wait until you learn how proc macros work. >=20 > proc macro execution should be heavily sandboxed, otherwise it seems > compiling something is enough to get arbitrary code executed with the > permission of the compiling user. I mean it's not rocket science - brows= ers > do this for javascript. Hmm, we need a webassembly target ;) This would be useful anyhow.=20 And locking down the compiler using landlock to only access specified files / directories would also be nice in general. Martin