From: Jonathon Anderson via Gdb <gdb@sourceware.org>
To: Andreas Schwab <schwab@linux-m68k.org>
Cc: Michael Matz <matz@suse.de>, Martin Uecker <uecker@tugraz.at>,
Ian Lance Taylor <iant@golang.org>,
Paul Koning <paulkoning@comcast.net>,
Paul Eggert <eggert@cs.ucla.edu>,
Sandra Loosemore <sloosemore@baylibre.com>,
Mark Wielaard <mark@klomp.org>,
overseers@sourceware.org, gcc@gcc.gnu.org,
binutils@sourceware.org, gdb@sourceware.org,
libc-alpha@sourceware.org
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
Date: Tue, 9 Apr 2024 12:59:20 -0700 [thread overview]
Message-ID: <CAO_N0o2PfFdvwCLxqtszLi1ji=1Tr7k6F0Ec07teePz8YuyZQw@mail.gmail.com> (raw)
In-Reply-To: <87h6gazafa.fsf@igel.home>
On Tue, Apr 9, 2024, 10:57 Andreas Schwab <schwab@linux-m68k.org> wrote:
> On Apr 09 2024, anderson.jonathonm@gmail.com wrote:
>
> > - This xz backdoor injection unpacked attacker-controlled files and ran
> them during `configure`. Newer build systems implement a build abstraction
> (aka DSL) that acts similar to a sandbox and enforces rules (e.g. the only
> code run during `meson setup` is from `meson.build` files and CMake).
> Generally speaking the only way to disobey those rules is via an "escape"
> command (e.g. `run_command()`) of which there are few. This reduces the
> task of auditing the build scripts for sandbox-breaking malicious intent
> significantly, only the "escapes" need investigation and they which
> should(tm) be rare for well-behaved projects.
>
> Just like you can put your backdoor in *.m4 files, you can put them in
> *.cmake files.
CMake has its own sandbox and rules and escapes (granted, much more of
them). But regardless, the injection code would be committed to the
repository (point 2) and would not hold up to a source directory mounted
read-only (point 3).
If your build system is Meson, you can easily consider CMake code to be an
escape and give it a little more auditing attention. Or just avoid shipping
CMake scripts entirely, they are are rarely necessary.
-Jonathon
>
next prev parent reply other threads:[~2024-04-09 20:00 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-29 20:39 Security warning about xz library compromise Mark Wielaard
2024-04-01 15:06 ` Sourceware mitigating and preventing the next xz-backdoor Mark Wielaard
2024-04-02 19:54 ` Sandra Loosemore
2024-04-02 20:03 ` Paul Eggert
2024-04-02 20:20 ` Paul Koning via Gdb
2024-04-02 20:28 ` Ian Lance Taylor via Gdb
2024-04-03 6:26 ` Martin Uecker via Gdb
2024-04-03 14:00 ` Michael Matz via Gdb
2024-04-03 14:14 ` Paul Koning via Gdb
2024-04-03 14:32 ` Martin Uecker via Gdb
2024-04-03 14:46 ` Jeffrey Walton via Gdb
2024-04-03 14:56 ` Stephen Webb via Gdb
2024-04-06 13:09 ` Andrew Haley
2024-04-03 16:02 ` Michael Matz via Gdb
2024-04-03 16:26 ` Joel Sherrill
2024-04-03 16:32 ` Martin Uecker via Gdb
2024-04-03 16:51 ` Andreas Schwab
2024-04-03 16:56 ` Jonathan Wakely via Gdb
2024-04-03 18:46 ` Jonathon Anderson via Gdb
2024-04-03 19:01 ` Martin Uecker via Gdb
2024-04-05 21:15 ` Andrew Sutton via Gdb
2024-04-06 13:00 ` Richard Biener via Gdb
2024-04-06 15:59 ` Martin Uecker via Gdb
2024-04-04 13:59 ` Michael Matz via Gdb
2024-04-09 16:44 ` anderson.jonathonm--- via Gdb
2024-04-09 17:57 ` Andreas Schwab
2024-04-09 19:59 ` Jonathon Anderson via Gdb [this message]
2024-04-09 20:11 ` Paul Koning via Gdb
2024-04-09 21:40 ` Jeffrey Walton via Gdb
2024-04-09 21:50 ` Paul Eggert
2024-04-09 21:58 ` Sam James via Gdb
2024-04-09 22:15 ` Paul Eggert
2024-04-09 22:22 ` Sam James via Gdb
2024-04-09 22:53 ` Paul Eggert
2024-04-09 22:03 ` Jonathon Anderson via Gdb
2024-04-09 22:10 ` Sam James via Gdb
2024-04-09 21:54 ` Jonathon Anderson via Gdb
2024-04-09 22:00 ` Sam James via Gdb
2024-04-10 14:09 ` Frank Ch. Eigler via Gdb
2024-04-10 18:47 ` Jonathon Anderson via Gdb
2024-04-10 19:00 ` Frank Ch. Eigler via Gdb
2024-04-10 10:26 ` Claudio Bantaloukas via Gdb
2024-04-02 22:08 ` Guinevere Larsen via Gdb
2024-04-02 22:50 ` Jeffrey Walton via Gdb
2024-04-02 23:20 ` Mark Wielaard
2024-04-02 23:34 ` Paul Koning via Gdb
2024-04-03 0:37 ` Jeffrey Walton via Gdb
2024-04-03 8:08 ` Florian Weimer via Gdb
2024-04-03 13:53 ` Joel Sherrill
2024-04-04 10:25 ` Mark Wielaard
2024-04-10 16:30 ` Alejandro Colomar via Gdb
2024-04-21 15:30 ` Mark Wielaard
2024-04-21 20:40 ` Alejandro Colomar via Gdb
2024-04-21 20:52 ` Alejandro Colomar via Gdb
2024-04-30 11:28 ` Alejandro Colomar via Gdb
2024-04-03 14:04 ` Tom Tromey
2024-04-03 14:42 ` Jeff Law via Gdb
2024-04-04 10:48 ` Mark Wielaard
2024-07-13 13:56 Trenton Davison via Gdb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAO_N0o2PfFdvwCLxqtszLi1ji=1Tr7k6F0Ec07teePz8YuyZQw@mail.gmail.com' \
--to=gdb@sourceware.org \
--cc=anderson.jonathonm@gmail.com \
--cc=binutils@sourceware.org \
--cc=eggert@cs.ucla.edu \
--cc=gcc@gcc.gnu.org \
--cc=iant@golang.org \
--cc=libc-alpha@sourceware.org \
--cc=mark@klomp.org \
--cc=matz@suse.de \
--cc=overseers@sourceware.org \
--cc=paulkoning@comcast.net \
--cc=schwab@linux-m68k.org \
--cc=sloosemore@baylibre.com \
--cc=uecker@tugraz.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox