From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-oa1-x2f.google.com (mail-oa1-x2f.google.com [IPv6:2001:4860:4864:20::2f]) by sourceware.org (Postfix) with ESMTPS id A8CCA3858D39; Wed, 3 Apr 2024 00:37:54 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A8CCA3858D39 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A8CCA3858D39 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2001:4860:4864:20::2f ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712104676; cv=none; b=DUGy0Z9I2a3DeWW3kbqLOq7B0Vz406Lw6N9bFunL764RUXgI3o3dPViTQ8hGEhHBoUWIsLR8VYwVYwMJcerN8H5FbLq9WNP4wcZT3d4jQ6FVWEKzbr7VVsCFi633O+0bwZX6P4kOggNJ0Tj5s1u5Y18kJRg1eoVlDHCjS8rFU20= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712104676; c=relaxed/simple; bh=WZMTrKFJQdXY/FrTWfko/7HFfYXsrbMIuaD1+WBadQs=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=aboBMbBYnwaGRvXr/4SF6SpAQLDQAICRbxgxJh0VjpzVxA3JimvunxtfC8IPCSZSMWXazDy1IRXDYaV/pKzCi+UTdxVn3RAqwt0Jkc27JJwm/9VijIvrbUT2txNUxdCj19ct3311kNwHUx+1LtBybRt6GGDjJI4u2/rbjbzmcrM= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oa1-x2f.google.com with SMTP id 586e51a60fabf-22200c78d4fso3378368fac.1; Tue, 02 Apr 2024 17:37:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712104674; x=1712709474; darn=sourceware.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :reply-to:in-reply-to:references:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=UE0p4vgyVbWprMASzCoWkP+NX6yoVQica1JapFh7H3k=; b=FWgbpWnvfhLtDMw77tdlnMCi7VojHN/YazeenIAajMWordofU19qlEqfJJ6Wf5C++3 ka2loR/Gz7nU+PpW+W32Tpheudcl9RWADGD9YvIy3UukxxOIL+kmsHXm3+lE0lvy0i2G ipH12N41I1D07qb1z8DWYjg39PTg9ahaVEVJouf5N38wXhoVwOpOHUg5iubVmB/VoMsU Q0eWBp7tVgXR2OXEeS5NfHRndBysvgmmmpb6S5+1UNJm027EsmiJrSB4rObWjra1yX5H iJU6XMHMvaLO2/hKtaV77FaP2HFu24egecF0wmjnR1sTiiUN6rwb+ZAyB13TOKpO3QnU 78CQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712104674; x=1712709474; h=content-transfer-encoding:cc:to:subject:message-id:date:from :reply-to:in-reply-to:references:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=UE0p4vgyVbWprMASzCoWkP+NX6yoVQica1JapFh7H3k=; b=WHXMlBH3D3c+23Cr7aWzMiq6Coc4BnDs7wUYoCQm9pi2Py3KrgbQvTTs39TwkfP+RA j6Ypo6LZtcr5kVs/eAcfSC8KXir6dc+QzqK7JBuydsC/WD2ECg1hBuXs+SwG5wvjVCHy AkERzj5hU0jzw0nGbGQU8iwUiLsqAAZgjPM1PdhHcnpNawXSy6WZTYeslh6Bjik7J0oy nXvB3/b0mxhnkzXwHu/kcHjVre+b1Ikg320T65yDm1v3DhTPfWvy6PW8X6i1bCyhRUTI RrXlAAQw4/GndLFa30c8g6MONDJxPmJoju30RvlYQeeYjjkxa+PWfoirztmkp7wN17E6 firQ== X-Forwarded-Encrypted: i=1; AJvYcCVW6ZNYNvejw+cnBWh+Q4JtROjJHCpN65E+QPQftnR6il0+4ZEtEt/lE4M9/surqVejoZZbZ9bMQ1saRWXa+/gMuJDhBcaGvk1N5qZR/jq/sqikClWpTlz0ULpRl/Mrrh9Z9Cn/cvjQPhzBZFwL9or3M5AzXN0p/dZx5p4H3vsAOBkMIgvqlYlNhOk4bTluUUE= X-Gm-Message-State: AOJu0Ywoe8zQ4N1Gdx82q0f6jiaSktD8SS/mriy2Lmgg6ru/J/M69HPc dExbJb4g0LVqIgj8fxyxs2kdHAtZbJR1G/RICCa0yLWZoJ+KVrA+Rp1fMXFUAbxxE/6Ly3lHGYv Se/cQKznp/9pmYzHCzjLttCcBRTTFCTMny6E= X-Google-Smtp-Source: AGHT+IEytH3BaseeltEXjzf57wLChEy+zr0IeOfZQwI0SjbZs/Vc8HRZes7wSLGqNrKLFjXR7BSgwq354z+y1Q36WZU= X-Received: by 2002:a05:6870:1211:b0:22e:83da:e4da with SMTP id 17-20020a056870121100b0022e83dae4damr1215706oan.47.1712104673641; Tue, 02 Apr 2024 17:37:53 -0700 (PDT) MIME-Version: 1.0 References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <077b9dd5-0df1-4384-a9d1-58e4283caf09@redhat.com> <8FA2DDAB-E1BF-4DB8-B7DA-36D41281C1FA@comcast.net> In-Reply-To: <8FA2DDAB-E1BF-4DB8-B7DA-36D41281C1FA@comcast.net> Reply-To: noloader@gmail.com From: Jeffrey Walton Date: Tue, 2 Apr 2024 20:37:25 -0400 Message-ID: Subject: Re: Sourceware mitigating and preventing the next xz-backdoor To: Paul Koning Cc: Guinevere Larsen , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On Tue, Apr 2, 2024 at 7:35=E2=80=AFPM Paul Koning via Gdb wrote: > [...] > > I agree that GDB, and for that matter other projects with significant num= bers of contributors, are not nearly as likely to be vulnerable to this sor= t of attack. But I worry that xz may not be the only project that's small = enough to be vulnerable, and be security-relevant in not so obvious ways. This cuts a lot deeper than folks think. Here are two other examples off the top of my head... Other vulnerable projects include ncurses and libnettle. Ncurses is run by Thomas Dickey (https://invisible-island.net/). libnettle is run by Niels M=C3=B6ller (https://www.lysator.liu.se/~nisse/nettle/). Both are one-man shows with no continuity plans. Dickey does not even run a public version control system. You have to download his release tarballs, and there's no history to review or make pull requests against. If DIckey or M=C3=B6ller got hit by a bus crossing the street, there would be problems for years. Jeff > One question that comes to mind is whether there has been an effort acros= s the open source community to identify possible other targets of such atta= cks. Contributions elsewhere by the suspect in this case are an obvious co= ncern, but similar scenarios with different names could also be. That prob= ably should be an ongoing activity: whenever some external component is use= d, it would be worth knowing how it is maintained, and how many eyeballs ar= e involved. Even if this isn't done by everyone, it seems like a proper pr= ecaution for security sensitive projects. > > Another question that comes to mind: I would guess that relevant law enfo= rcement agencies are already looking into this, but it would seem appropria= te for those closest to the attacked software to reach out explicitly and a= ssist in any criminal investigations. > > paul >