From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id magLMBWlDGaHySAAWB0awg (envelope-from ) for ; Tue, 02 Apr 2024 20:38:45 -0400 Authentication-Results: simark.ca; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=ZFQoiIC+; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id AFDB31E0C0; Tue, 2 Apr 2024 20:38:45 -0400 (EDT) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id 9AE6F1E08C for ; Tue, 2 Apr 2024 20:38:43 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id EB97C385E451 for ; Wed, 3 Apr 2024 00:38:42 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EB97C385E451 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1712104723; bh=UE0p4vgyVbWprMASzCoWkP+NX6yoVQica1JapFh7H3k=; h=References:In-Reply-To:Date:Subject:To:Cc:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=ZFQoiIC+0vb34MTkoha8JDKfGoa44lVKbuJfwA5Vq8azs4WBk2if9FA7E/8I1RCYa zStfJVtd/4szVy6Dwc6z4Cixsw+Q88KrlZSy4ofTMjSdt9hTADl2UvYSA3BfMEuyte p13gAXtX6qprH9v8SbDP7yR7KdmaHn/KoMTF8k84= Received: from mail-oa1-x2f.google.com (mail-oa1-x2f.google.com [IPv6:2001:4860:4864:20::2f]) by sourceware.org (Postfix) with ESMTPS id A8CCA3858D39; Wed, 3 Apr 2024 00:37:54 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A8CCA3858D39 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A8CCA3858D39 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712104676; cv=none; b=DUGy0Z9I2a3DeWW3kbqLOq7B0Vz406Lw6N9bFunL764RUXgI3o3dPViTQ8hGEhHBoUWIsLR8VYwVYwMJcerN8H5FbLq9WNP4wcZT3d4jQ6FVWEKzbr7VVsCFi633O+0bwZX6P4kOggNJ0Tj5s1u5Y18kJRg1eoVlDHCjS8rFU20= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712104676; c=relaxed/simple; bh=WZMTrKFJQdXY/FrTWfko/7HFfYXsrbMIuaD1+WBadQs=; h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To; b=aboBMbBYnwaGRvXr/4SF6SpAQLDQAICRbxgxJh0VjpzVxA3JimvunxtfC8IPCSZSMWXazDy1IRXDYaV/pKzCi+UTdxVn3RAqwt0Jkc27JJwm/9VijIvrbUT2txNUxdCj19ct3311kNwHUx+1LtBybRt6GGDjJI4u2/rbjbzmcrM= ARC-Authentication-Results: i=1; server2.sourceware.org Received: by mail-oa1-x2f.google.com with SMTP id 586e51a60fabf-22200c78d4fso3378368fac.1; Tue, 02 Apr 2024 17:37:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712104674; x=1712709474; h=content-transfer-encoding:cc:to:subject:message-id:date:from :reply-to:in-reply-to:references:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=UE0p4vgyVbWprMASzCoWkP+NX6yoVQica1JapFh7H3k=; b=WHXMlBH3D3c+23Cr7aWzMiq6Coc4BnDs7wUYoCQm9pi2Py3KrgbQvTTs39TwkfP+RA j6Ypo6LZtcr5kVs/eAcfSC8KXir6dc+QzqK7JBuydsC/WD2ECg1hBuXs+SwG5wvjVCHy AkERzj5hU0jzw0nGbGQU8iwUiLsqAAZgjPM1PdhHcnpNawXSy6WZTYeslh6Bjik7J0oy nXvB3/b0mxhnkzXwHu/kcHjVre+b1Ikg320T65yDm1v3DhTPfWvy6PW8X6i1bCyhRUTI RrXlAAQw4/GndLFa30c8g6MONDJxPmJoju30RvlYQeeYjjkxa+PWfoirztmkp7wN17E6 firQ== X-Forwarded-Encrypted: i=1; AJvYcCVW6ZNYNvejw+cnBWh+Q4JtROjJHCpN65E+QPQftnR6il0+4ZEtEt/lE4M9/surqVejoZZbZ9bMQ1saRWXa+/gMuJDhBcaGvk1N5qZR/jq/sqikClWpTlz0ULpRl/Mrrh9Z9Cn/cvjQPhzBZFwL9or3M5AzXN0p/dZx5p4H3vsAOBkMIgvqlYlNhOk4bTluUUE= X-Gm-Message-State: AOJu0Ywoe8zQ4N1Gdx82q0f6jiaSktD8SS/mriy2Lmgg6ru/J/M69HPc dExbJb4g0LVqIgj8fxyxs2kdHAtZbJR1G/RICCa0yLWZoJ+KVrA+Rp1fMXFUAbxxE/6Ly3lHGYv Se/cQKznp/9pmYzHCzjLttCcBRTTFCTMny6E= X-Google-Smtp-Source: AGHT+IEytH3BaseeltEXjzf57wLChEy+zr0IeOfZQwI0SjbZs/Vc8HRZes7wSLGqNrKLFjXR7BSgwq354z+y1Q36WZU= X-Received: by 2002:a05:6870:1211:b0:22e:83da:e4da with SMTP id 17-20020a056870121100b0022e83dae4damr1215706oan.47.1712104673641; Tue, 02 Apr 2024 17:37:53 -0700 (PDT) MIME-Version: 1.0 References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <077b9dd5-0df1-4384-a9d1-58e4283caf09@redhat.com> <8FA2DDAB-E1BF-4DB8-B7DA-36D41281C1FA@comcast.net> In-Reply-To: <8FA2DDAB-E1BF-4DB8-B7DA-36D41281C1FA@comcast.net> Date: Tue, 2 Apr 2024 20:37:25 -0400 Message-ID: Subject: Re: Sourceware mitigating and preventing the next xz-backdoor To: Paul Koning Cc: Guinevere Larsen , Sandra Loosemore , Mark Wielaard , overseers@sourceware.org, gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, libc-alpha@sourceware.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Jeffrey Walton via Gdb Reply-To: noloader@gmail.com Errors-To: gdb-bounces+public-inbox=simark.ca@sourceware.org Sender: "Gdb" On Tue, Apr 2, 2024 at 7:35=E2=80=AFPM Paul Koning via Gdb wrote: > [...] > > I agree that GDB, and for that matter other projects with significant num= bers of contributors, are not nearly as likely to be vulnerable to this sor= t of attack. But I worry that xz may not be the only project that's small = enough to be vulnerable, and be security-relevant in not so obvious ways. This cuts a lot deeper than folks think. Here are two other examples off the top of my head... Other vulnerable projects include ncurses and libnettle. Ncurses is run by Thomas Dickey (https://invisible-island.net/). libnettle is run by Niels M=C3=B6ller (https://www.lysator.liu.se/~nisse/nettle/). Both are one-man shows with no continuity plans. Dickey does not even run a public version control system. You have to download his release tarballs, and there's no history to review or make pull requests against. If DIckey or M=C3=B6ller got hit by a bus crossing the street, there would be problems for years. Jeff > One question that comes to mind is whether there has been an effort acros= s the open source community to identify possible other targets of such atta= cks. Contributions elsewhere by the suspect in this case are an obvious co= ncern, but similar scenarios with different names could also be. That prob= ably should be an ongoing activity: whenever some external component is use= d, it would be worth knowing how it is maintained, and how many eyeballs ar= e involved. Even if this isn't done by everyone, it seems like a proper pr= ecaution for security sensitive projects. > > Another question that comes to mind: I would guess that relevant law enfo= rcement agencies are already looking into this, but it would seem appropria= te for those closest to the attacked software to reach out explicitly and a= ssist in any criminal investigations. > > paul >