From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id wK7QJBmhFWYiaSkAWB0awg (envelope-from ) for ; Tue, 09 Apr 2024 16:12:09 -0400 Authentication-Results: simark.ca; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=PYdICqow; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id 906781E0C0; Tue, 9 Apr 2024 16:12:09 -0400 (EDT) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 7F11F1E030 for ; Tue, 9 Apr 2024 16:12:07 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 11C493858432 for ; Tue, 9 Apr 2024 20:12:07 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 11C493858432 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1712693527; bh=6RsKKwNQdqCvIart7iH73aFwghAYt/SEycgOsTwsMjQ=; h=Subject:In-Reply-To:Date:Cc:References:To:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=PYdICqowW5udINaWoNyQ4Wd43VUU56tBF/c4fsSkSHAAed2h1Vr4G+LjmnkJtRAVd LmOb9uSI2fRMMJl0de/w98sMksXW+gSx16obiYZKx1KXn5GFeRsOyk0rNimMe6lQ6K OCEsgaZfhalKRBUtSn4+Gc2qWxAG1a44iPjXKM0c= Received: from resdmta-c2p-547356.sys.comcast.net (resdmta-c2p-547356.sys.comcast.net [IPv6:2001:558:fd00:56::d]) by sourceware.org (Postfix) with ESMTPS id BEF8A3858CDA for ; Tue, 9 Apr 2024 20:11:09 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org BEF8A3858CDA ARC-Filter: OpenARC Filter v1.0.0 sourceware.org BEF8A3858CDA ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712693472; cv=none; b=XDf20SNXLAM3mxgEvIx+b0rZf3/cHJB/B51QblPI9/0aglqMH/rQ9QdT6/vU+/k7zef0dF366G4NIaKRY6zB7/GJ6/9MzYhtvFO9rbngygwkU/SW8A3CrANJI91LlNz4wtM1Uue7dvFrKr3Gb1p/hxwxgqyJioT61t/GZ46SaNw= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712693472; c=relaxed/simple; bh=jrJpVQ2QRmVlk3HL5UFOMbKhMCoa99ZVGBSwB6P3uN8=; h=DKIM-Signature:Mime-Version:Subject:From:Date:Message-Id:To; b=I7Q/rsx53wORDyCLIhE5foOmfjv8qFMxyf8vOgub6M4TlP/CYil+t9VlhxQC0mNvaL/aCDIDVBTnbn+w4TT7RX+gVpcZrZclwTCnX1lDlrYKhn1zgENvR2iCYrlsUlxgc+/RXW8SnTru3XBhyyf/2nd9axxG7tgLdJHwNemDkTY= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from resomta-c2p-555441.sys.comcast.net ([96.102.18.240]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resdmta-c2p-547356.sys.comcast.net with ESMTPS id uHfarobpgi26luHoCrinRG; Tue, 09 Apr 2024 20:11:08 +0000 Received: from smtpclient.apple ([73.60.223.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by resomta-c2p-555441.sys.comcast.net with ESMTPSA id uHo5rLt8Q8xiWuHo6rC9dY; Tue, 09 Apr 2024 20:11:08 +0000 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\)) Subject: Re: Sourceware mitigating and preventing the next xz-backdoor In-Reply-To: Date: Tue, 9 Apr 2024 16:11:01 -0400 Cc: Andreas Schwab , Michael Matz , Martin Uecker , Ian Lance Taylor , Paul Eggert , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Content-Transfer-Encoding: quoted-printable Message-Id: <62A5C6AE-FE86-48EA-8E0D-E1B17959C8EA@comcast.net> References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de> <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com> <87h6gazafa.fsf@igel.home> To: Jonathon Anderson X-Mailer: Apple Mail (2.3696.120.41.1.8) X-CMAE-Envelope: MS4xfGGgkAyxLN3/vL08Ejxf4diZGgX8TbVupFOS239BJ/0cfzRqYyC4f4zbGaMqmacASw+BiO/J97mQBLQnnDAY4RG5n7V8SoEPSXJ+7kipOlp08xJlo69X wFSQ4apdYF6LczOXa+q3SJpHqCv0+b+VYwVjIRLKTwttA7i9awXotkfVIdJpLKL+CXXgwxarPSRfipP62wbEuI5ytY42gk7kvwQR3tJS7nRx3dNUV/Rxuzea Q78Rg5PvIetCULc8S9lT3nXNNH0ANVG/43NGvY8XhWDJxP8kF55/y0mQzOKj/B8nQqZMFmVNKrSIAySSBuhxQzfXbhIKpl1taVXMUIp1rjPbnfzLTs7l1zCE XfDQOpDQYeDnv1hWcfJVjddTTLh0w5KzseHmoR1LpfD0aJTU9ESTLY1Rzn3HMWNyuahkYTfMRCzPBhHQbg9xhjQtorwg43h39xOasKg8ZmHUPR73ZIaVWKOR /Vo0X2onsRTLx/6e1Egvx2o7+kT1i3erUEpJa3H4PpFH1CcgFq4fUNB7ID45eClmmKSQm8MxKUpXSU9X/1FNhOOsqR7KoiltJtvoqg== X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Paul Koning via Gdb Reply-To: Paul Koning Errors-To: gdb-bounces+public-inbox=simark.ca@sourceware.org Sender: "Gdb" > On Apr 9, 2024, at 3:59 PM, Jonathon Anderson via Gcc = wrote: >=20 > On Tue, Apr 9, 2024, 10:57 Andreas Schwab = wrote: >=20 >> On Apr 09 2024, anderson.jonathonm@gmail.com wrote: >>=20 >>> - This xz backdoor injection unpacked attacker-controlled files and = ran >> them during `configure`. Newer build systems implement a build = abstraction >> (aka DSL) that acts similar to a sandbox and enforces rules (e.g. the = only >> code run during `meson setup` is from `meson.build` files and CMake). >> Generally speaking the only way to disobey those rules is via an = "escape" >> command (e.g. `run_command()`) of which there are few. This reduces = the >> task of auditing the build scripts for sandbox-breaking malicious = intent >> significantly, only the "escapes" need investigation and they which >> should(tm) be rare for well-behaved projects. >>=20 >> Just like you can put your backdoor in *.m4 files, you can put them = in >> *.cmake files. >=20 >=20 > CMake has its own sandbox and rules and escapes (granted, much more of > them). But regardless, the injection code would be committed to the > repository (point 2) and would not hold up to a source directory = mounted > read-only (point 3). Why would the injection code necessarily be committed to the repository? = It wasn't in the xz attack -- one hole in the procedures is that the = kits didn't match the repository and no checks caught this. I don't see = how a different build system would cure that issue. Instead, there = needs to be some sort of audit that verifies there aren't rogue or = modified elements in the kit. paul