From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) by sourceware.org (Postfix) with ESMTPS id A8BF53858D39; Tue, 9 Apr 2024 19:59:32 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A8BF53858D39 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A8BF53858D39 Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=2607:f8b0:4864:20::f2c ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712692777; cv=none; b=pECz2gVAnVGXLp+VzpxRJQENH/LJouv/fa6uiWlhBey0B1KT7/nVvN2RRs9OAKl7/atEH/SbPVU59YictSsMDpvmXvhCcqFDda5dEchmxykRoGIzgX3Mu1objZo8/P536oqiXDzgqcoRutuLV+ysMFKXqVDIiuVSOEccI9hy5TA= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712692777; c=relaxed/simple; bh=BD3O4FPF7+O4rmNIHuSl/FHY18mwm4zGw7P2xws75/o=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=EsdRfvErismunvHMEejsujUh/UWyKm+JSeklM3C2pwLaEtIgx6JYYRMGfGzHq+NfBAJTU0q4vzuq6H+2kUXaa85Xm7vVh5YZh23mPJSunDbJ/lTVL3HAv2I/jv7HpnMf6TNzgWDP5jOC7m/go+OGP+Rhcmbr6G2TG6zyRCX/5Y0= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-qv1-xf2c.google.com with SMTP id 6a1803df08f44-69b224e025dso8985346d6.1; Tue, 09 Apr 2024 12:59:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712692772; x=1713297572; darn=sourceware.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=BD3O4FPF7+O4rmNIHuSl/FHY18mwm4zGw7P2xws75/o=; b=du1GuZCSOHuVNNN1eEqIyin+/9lWli0XDERm8zok4K+PpuVtFYJD2u0qEnFxsPUIjk DEhe4hCd49z3e54zQRKZZt00fs2qNRv+jG96IxcEcY/0F2/OSXiWeUc5qvYESrc+bb13 p5I0azDhZIlKwy1QODjtzCIqMqzT2MqFa69jQvXdsteZ93z4v+dsJT5KB2Pv8teYbluZ jLkOiE1Zyvj/5NpVA79t05cylmEvXZ3fZS6zsD9Mdh7lBmmxOJEQM24lPH+VbPYlM6rx 4UORLMvdRRG1neqgeoONRwmpM5c+OmLiJaSGvtw2TbAwqFsNq41lAUPI98gULF/2SZkd RB2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712692772; x=1713297572; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BD3O4FPF7+O4rmNIHuSl/FHY18mwm4zGw7P2xws75/o=; b=H2nibxwHCn0bYN98oVBQl5cbmxwKt4dCXOBCoLFryKFBQ0aOaqkCwZxRpO+oYtYaD4 LwlZlpqj0X72CkftNSCX4DuL0aXzH+bTnvwxO5yY2eZJTlhlYfF5hEJGRspdiyv1huk8 uDofsdJ3AHHelP+D4HCzyiId8l5qX8UDqphU7ltnKi3w7SLEq7ICVtZT4Ha7lDB0m5Oq jP+eZZ5nd33QIbDgqjMtqSGhG/N7hWkPUqb9OKv65IY+GKGr8QrtP6h87aua1IWKOfEz KDiUBUUbxPTOzz0Tucqqsk22Ts+2SV37kNYNAGgyHp3Lx+jktvx5KIK9+XAR01N8rA5p pLug== X-Forwarded-Encrypted: i=1; AJvYcCXYE6fQ7nnRgV4jPMef3cCMI3zY7V6CkqL2/9iqzZDFOaGUltMR+6f0u0Y8XPQJpwG23W4dtD6cbuMwEblCawEtNAd7VNv8mNgDnwJHXN8ShkoFyRIOcTpYZPJfGuYmIQ2zMSzxDvpgFyZMCu5s681wHwUN4Gm6uGO7DRpQVw+mzZBRKAZrMFfTqyutnq/+fWA= X-Gm-Message-State: AOJu0YwOThSqC91XQpzPglEyIklO9JWDkp8wVL5oJ9QAGfNUGLRahYyu Nvdv8PT7VnMiVTC9A2mlyNnRDCgnxovWfasXMyM5S/BitFwMZ3MHVCmgO7biFFVMdaZ43uRitvQ 5DoWpFJXH44I85BW8FtHCDv+dUuk= X-Google-Smtp-Source: AGHT+IGR6et04X5jzzoSJQ7K2MQ/ediOfN7LQ+AttpW84NNHzssOLEkkOaDs/aBh/5OYkpSiXdel9r4374OxwBrBaUc= X-Received: by 2002:a05:6214:2421:b0:699:1657:ec68 with SMTP id gy1-20020a056214242100b006991657ec68mr729217qvb.19.1712692771974; Tue, 09 Apr 2024 12:59:31 -0700 (PDT) MIME-Version: 1.0 References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de> <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com> <87h6gazafa.fsf@igel.home> In-Reply-To: <87h6gazafa.fsf@igel.home> From: Jonathon Anderson Date: Tue, 9 Apr 2024 12:59:20 -0700 Message-ID: Subject: Re: Sourceware mitigating and preventing the next xz-backdoor To: Andreas Schwab Cc: Michael Matz , Martin Uecker , Ian Lance Taylor , Paul Koning , Paul Eggert , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Content-Type: multipart/alternative; boundary="0000000000004874d20615af5c7b" X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: --0000000000004874d20615af5c7b Content-Type: text/plain; charset="UTF-8" On Tue, Apr 9, 2024, 10:57 Andreas Schwab wrote: > On Apr 09 2024, anderson.jonathonm@gmail.com wrote: > > > - This xz backdoor injection unpacked attacker-controlled files and ran > them during `configure`. Newer build systems implement a build abstraction > (aka DSL) that acts similar to a sandbox and enforces rules (e.g. the only > code run during `meson setup` is from `meson.build` files and CMake). > Generally speaking the only way to disobey those rules is via an "escape" > command (e.g. `run_command()`) of which there are few. This reduces the > task of auditing the build scripts for sandbox-breaking malicious intent > significantly, only the "escapes" need investigation and they which > should(tm) be rare for well-behaved projects. > > Just like you can put your backdoor in *.m4 files, you can put them in > *.cmake files. CMake has its own sandbox and rules and escapes (granted, much more of them). But regardless, the injection code would be committed to the repository (point 2) and would not hold up to a source directory mounted read-only (point 3). If your build system is Meson, you can easily consider CMake code to be an escape and give it a little more auditing attention. Or just avoid shipping CMake scripts entirely, they are are rarely necessary. -Jonathon > --0000000000004874d20615af5c7b--