From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from resdmta-c2p-566137.sys.comcast.net (resdmta-c2p-566137.sys.comcast.net [IPv6:2001:558:fd00:56::c]) by sourceware.org (Postfix) with ESMTPS id 0DE313858414 for ; Tue, 9 Apr 2024 20:11:10 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 0DE313858414 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=comcast.net Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=comcast.net ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 0DE313858414 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:558:fd00:56::c ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712693472; cv=none; b=gDpexqLDzDMdEAJgwubb4WBh0YQ4cVfnd/cgu9P67pC7HQ2Rz0BMri6x+eW6r9TdGPkpX95i0A/nWGw3q9uW0sa2EK3j4Cwqa5fs7B17dr7ItiVrVYR9GYkCAcUoKfiRITseebkpeBlzCmjXwzLK9IOwW7utVr+NMogUq4MqGek= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712693472; c=relaxed/simple; bh=jrJpVQ2QRmVlk3HL5UFOMbKhMCoa99ZVGBSwB6P3uN8=; h=DKIM-Signature:Mime-Version:Subject:From:Date:Message-Id:To; b=FKrz2L4NpGOOxhAqjE3Hkcsp+0XeFM0IGwxjWY72TiK+bxStS11s9HH2SVcJYIIwytalHfJFsnLQrADZQS6jXiwZnp4ASuxu3emxi9HuXtx7KIjXp3QTLn9W1EVGPmZ4yiShdrqleWX6zjOpDUJnCJnfGOnxP3qKcmKzTrE3/5M= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from resomta-c2p-555441.sys.comcast.net ([96.102.18.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resdmta-c2p-566137.sys.comcast.net with ESMTPS id uHfZrgT1JvMoyuHoCrXYEp; Tue, 09 Apr 2024 20:11:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=20190202a; t=1712693468; bh=6RsKKwNQdqCvIart7iH73aFwghAYt/SEycgOsTwsMjQ=; h=Received:Received:Content-Type:Mime-Version:Subject:From:Date: Message-Id:To:Xfinity-Spam-Result; b=GFmOLE1XUbDqBM2PE1kkfa1s9Z0I1MEd0sxzcNhz2BGs0zoj4SerpLEI9Hyo3s44M BHEDnp2Mz9sT0LUD3RDOyxc/qfNTSpvYPGv24JhVXeTjar8VLE7Net+MUpQNdF8oeI m1xlgMsdb/7VQ6j0M91Ljv/RUMtckCrbdUMHtk8uO876GweUvTt7F3h4+NO5J5Y9/C pw5Ob5Ou0mjOz2y5OYbvCAqee0UmaTHgiKXcU9IozayKPjgDa82/cGc4tbG25rLuQ8 hxyp7w8Sg177vaSrbcE4sQy8M2aNH66nRghbgyhY3+lxQuORULSTkot7MofA8Bc+z5 c0jBiHSa73kiw== Received: from smtpclient.apple ([73.60.223.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resomta-c2p-555441.sys.comcast.net with ESMTPSA id uHo5rLt8Q8xiWuHo6rC9dY; Tue, 09 Apr 2024 20:11:08 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\)) Subject: Re: Sourceware mitigating and preventing the next xz-backdoor From: Paul Koning In-Reply-To: Date: Tue, 9 Apr 2024 16:11:01 -0400 Cc: Andreas Schwab , Michael Matz , Martin Uecker , Ian Lance Taylor , Paul Eggert , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Content-Transfer-Encoding: quoted-printable Message-Id: <62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net> References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de> <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com> <87h6gazafa.fsf@igel.home> To: Jonathon Anderson X-Mailer: Apple Mail (2.3696.120.41.1.8) X-CMAE-Envelope: MS4xfGGgkAyxLN3/vL08Ejxf4diZGgX8TbVupFOS239BJ/0cfzRqYyC4f4zbGaMqmacASw+BiO/J97mQBLQnnDAY4RG5n7V8SoEPSXJ+7kipOlp08xJlo69X wFSQ4apdYF6LczOXa+q3SJpHqCv0+b+VYwVjIRLKTwttA7i9awXotkfVIdJpLKL+CXXgwxarPSRfipP62wbEuI5ytY42gk7kvwQR3tJS7nRx3dNUV/Rxuzea Q78Rg5PvIetCULc8S9lT3nXNNH0ANVG/43NGvY8XhWDJxP8kF55/y0mQzOKj/B8nQqZMFmVNKrSIAySSBuhxQzfXbhIKpl1taVXMUIp1rjPbnfzLTs7l1zCE XfDQOpDQYeDnv1hWcfJVjddTTLh0w5KzseHmoR1LpfD0aJTU9ESTLY1Rzn3HMWNyuahkYTfMRCzPBhHQbg9xhjQtorwg43h39xOasKg8ZmHUPR73ZIaVWKOR /Vo0X2onsRTLx/6e1Egvx2o7+kT1i3erUEpJa3H4PpFH1CcgFq4fUNB7ID45eClmmKSQm8MxKUpXSU9X/1FNhOOsqR7KoiltJtvoqg== X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: > On Apr 9, 2024, at 3:59 PM, Jonathon Anderson via Gcc = wrote: >=20 > On Tue, Apr 9, 2024, 10:57 Andreas Schwab = wrote: >=20 >> On Apr 09 2024, anderson.jonathonm@gmail.com wrote: >>=20 >>> - This xz backdoor injection unpacked attacker-controlled files and = ran >> them during `configure`. Newer build systems implement a build = abstraction >> (aka DSL) that acts similar to a sandbox and enforces rules (e.g. the = only >> code run during `meson setup` is from `meson.build` files and CMake). >> Generally speaking the only way to disobey those rules is via an = "escape" >> command (e.g. `run_command()`) of which there are few. This reduces = the >> task of auditing the build scripts for sandbox-breaking malicious = intent >> significantly, only the "escapes" need investigation and they which >> should(tm) be rare for well-behaved projects. >>=20 >> Just like you can put your backdoor in *.m4 files, you can put them = in >> *.cmake files. >=20 >=20 > CMake has its own sandbox and rules and escapes (granted, much more of > them). But regardless, the injection code would be committed to the > repository (point 2) and would not hold up to a source directory = mounted > read-only (point 3). Why would the injection code necessarily be committed to the repository? = It wasn't in the xz attack -- one hole in the procedures is that the = kits didn't match the repository and no checks caught this. I don't see = how a different build system would cure that issue. Instead, there = needs to be some sort of audit that verifies there aren't rogue or = modified elements in the kit. paul