From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-bounces+public-inbox=simark.ca@sourceware.org>
Received: from simark.ca
	by simark.ca with LMTP
	id u9kIJF2eFWYoZykAWB0awg
	(envelope-from <gdb-bounces+public-inbox=simark.ca@sourceware.org>)
	for <public-inbox@simark.ca>; Tue, 09 Apr 2024 16:00:29 -0400
Authentication-Results: simark.ca;
	dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=iCZV+VvL;
	dkim-atps=neutral
Received: by simark.ca (Postfix, from userid 112)
	id 855CB1E0C0; Tue,  9 Apr 2024 16:00:29 -0400 (EDT)
Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256)
	(No client certificate requested)
	by simark.ca (Postfix) with ESMTPS id 6DD0B1E030
	for <public-inbox@simark.ca>; Tue,  9 Apr 2024 16:00:27 -0400 (EDT)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id A39C0384607B
	for <public-inbox@simark.ca>; Tue,  9 Apr 2024 20:00:26 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A39C0384607B
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1712692826;
	bh=5Qa1ociG0rGzvChwZXCof8f3W07ugtm4By12sONA1dk=;
	h=References:In-Reply-To:Date:Subject:To:Cc:List-Id:
	 List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe:
	 From:Reply-To:From;
	b=iCZV+VvLXHa6sztxGnKSkOhmWta/m5yFMRMMAglRLdx7AnCH9aoQ8UwuhzgtG7wmP
	 TyXKDAJw9fIGdtFtPQyd45Ef1zJQNBlNAYYaq6JbkCvK5Nzn/Bmvl+cNd+IWlpWI+z
	 leduaqY0WEc+jA14ZdWe5c08m2ssjyF79WpmIvNE=
Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com
 [IPv6:2607:f8b0:4864:20::f2c])
 by sourceware.org (Postfix) with ESMTPS id A8BF53858D39;
 Tue,  9 Apr 2024 19:59:32 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org A8BF53858D39
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org A8BF53858D39
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712692777; cv=none;
 b=pECz2gVAnVGXLp+VzpxRJQENH/LJouv/fa6uiWlhBey0B1KT7/nVvN2RRs9OAKl7/atEH/SbPVU59YictSsMDpvmXvhCcqFDda5dEchmxykRoGIzgX3Mu1objZo8/P536oqiXDzgqcoRutuLV+ysMFKXqVDIiuVSOEccI9hy5TA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1712692777; c=relaxed/simple;
 bh=BD3O4FPF7+O4rmNIHuSl/FHY18mwm4zGw7P2xws75/o=;
 h=DKIM-Signature:MIME-Version:From:Date:Message-ID:Subject:To;
 b=EsdRfvErismunvHMEejsujUh/UWyKm+JSeklM3C2pwLaEtIgx6JYYRMGfGzHq+NfBAJTU0q4vzuq6H+2kUXaa85Xm7vVh5YZh23mPJSunDbJ/lTVL3HAv2I/jv7HpnMf6TNzgWDP5jOC7m/go+OGP+Rhcmbr6G2TG6zyRCX/5Y0=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: by mail-qv1-xf2c.google.com with SMTP id
 6a1803df08f44-69b224e025dso8985346d6.1; 
 Tue, 09 Apr 2024 12:59:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1712692772; x=1713297572;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=BD3O4FPF7+O4rmNIHuSl/FHY18mwm4zGw7P2xws75/o=;
 b=H2nibxwHCn0bYN98oVBQl5cbmxwKt4dCXOBCoLFryKFBQ0aOaqkCwZxRpO+oYtYaD4
 LwlZlpqj0X72CkftNSCX4DuL0aXzH+bTnvwxO5yY2eZJTlhlYfF5hEJGRspdiyv1huk8
 uDofsdJ3AHHelP+D4HCzyiId8l5qX8UDqphU7ltnKi3w7SLEq7ICVtZT4Ha7lDB0m5Oq
 jP+eZZ5nd33QIbDgqjMtqSGhG/N7hWkPUqb9OKv65IY+GKGr8QrtP6h87aua1IWKOfEz
 KDiUBUUbxPTOzz0Tucqqsk22Ts+2SV37kNYNAGgyHp3Lx+jktvx5KIK9+XAR01N8rA5p
 pLug==
X-Forwarded-Encrypted: i=1;
 AJvYcCXYE6fQ7nnRgV4jPMef3cCMI3zY7V6CkqL2/9iqzZDFOaGUltMR+6f0u0Y8XPQJpwG23W4dtD6cbuMwEblCawEtNAd7VNv8mNgDnwJHXN8ShkoFyRIOcTpYZPJfGuYmIQ2zMSzxDvpgFyZMCu5s681wHwUN4Gm6uGO7DRpQVw+mzZBRKAZrMFfTqyutnq/+fWA=
X-Gm-Message-State: AOJu0YwOThSqC91XQpzPglEyIklO9JWDkp8wVL5oJ9QAGfNUGLRahYyu
 Nvdv8PT7VnMiVTC9A2mlyNnRDCgnxovWfasXMyM5S/BitFwMZ3MHVCmgO7biFFVMdaZ43uRitvQ
 5DoWpFJXH44I85BW8FtHCDv+dUuk=
X-Google-Smtp-Source: AGHT+IGR6et04X5jzzoSJQ7K2MQ/ediOfN7LQ+AttpW84NNHzssOLEkkOaDs/aBh/5OYkpSiXdel9r4374OxwBrBaUc=
X-Received: by 2002:a05:6214:2421:b0:699:1657:ec68 with SMTP id
 gy1-20020a056214242100b006991657ec68mr729217qvb.19.1712692771974; Tue, 09 Apr
 2024 12:59:31 -0700 (PDT)
MIME-Version: 1.0
References: <20240329203909.GS9427@gnu.wildebeest.org>
 <20240401150617.GF19478@gnu.wildebeest.org>
 <fc3d8fe6-bfec-474d-a9ed-895067654603@baylibre.com>
 <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu>
 <FC0B14DF-0B05-4896-B70F-7D994961D5C2@comcast.net>
 <CAKOQZ8zfgq4xyFkQSFBZpU26g7eh=nr+fiQeAWVeba68DX7DeQ@mail.gmail.com>
 <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at>
 <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de>
 <cfa8d1d4ffddc1133e3477de31d2237e13bda2d0.camel@gmail.com>
 <41394737-6f2d-86e7-5742-e0a794f9f63c@suse.de>
 <4dd125546c920da4cc744a93f230917a7311c7fb.camel@gmail.com>
 <87h6gazafa.fsf@igel.home>
In-Reply-To: <87h6gazafa.fsf@igel.home>
Date: Tue, 9 Apr 2024 12:59:20 -0700
Message-ID: <CAO_N0o2PfFdvwCLxqtszLi1ji=1Tr7k6F0Ec07teePz8YuyZQw@mail.gmail.com>
Subject: Re: Sourceware mitigating and preventing the next xz-backdoor
To: Andreas Schwab <schwab@linux-m68k.org>
Cc: Michael Matz <matz@suse.de>, Martin Uecker <uecker@tugraz.at>,
 Ian Lance Taylor <iant@golang.org>, 
 Paul Koning <paulkoning@comcast.net>, Paul Eggert <eggert@cs.ucla.edu>, 
 Sandra Loosemore <sloosemore@baylibre.com>, Mark Wielaard <mark@klomp.org>,
 overseers@sourceware.org, 
 gcc@gcc.gnu.org, binutils@sourceware.org, gdb@sourceware.org, 
 libc-alpha@sourceware.org
X-Spam-Status: No, score=-0.0 required=5.0 tests=BAYES_00, DKIM_SIGNED,
 DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, HTML_MESSAGE,
 RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
Content-Type: text/plain; charset="UTF-8"
X-Content-Filtered-By: Mailman/MimeDel 2.1.30
X-BeenThere: gdb@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Gdb mailing list <gdb.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/gdb>,
 <mailto:gdb-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/gdb/>
List-Post: <mailto:gdb@sourceware.org>
List-Help: <mailto:gdb-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/gdb>,
 <mailto:gdb-request@sourceware.org?subject=subscribe>
From: Jonathon Anderson via Gdb <gdb@sourceware.org>
Reply-To: Jonathon Anderson <anderson.jonathonm@gmail.com>
Errors-To: gdb-bounces+public-inbox=simark.ca@sourceware.org
Sender: "Gdb" <gdb-bounces+public-inbox=simark.ca@sourceware.org>

On Tue, Apr 9, 2024, 10:57 Andreas Schwab <schwab@linux-m68k.org> wrote:

> On Apr 09 2024, anderson.jonathonm@gmail.com wrote:
>
> > - This xz backdoor injection unpacked attacker-controlled files and ran
> them during `configure`. Newer build systems implement a build abstraction
> (aka DSL) that acts similar to a sandbox and enforces rules (e.g. the only
> code run during `meson setup` is from `meson.build` files and CMake).
> Generally speaking the only way to disobey those rules is via an "escape"
> command (e.g. `run_command()`) of which there are few. This reduces the
> task of auditing the build scripts for sandbox-breaking malicious intent
> significantly, only the "escapes" need investigation and they which
> should(tm) be rare for well-behaved projects.
>
> Just like you can put your backdoor in *.m4 files, you can put them in
> *.cmake files.


CMake has its own sandbox and rules and escapes (granted, much more of
them). But regardless, the injection code would be committed to the
repository (point 2) and would not hold up to a source directory mounted
read-only (point 3).

If your build system is Meson, you can easily consider CMake code to be an
escape and give it a little more auditing attention. Or just avoid shipping
CMake scripts entirely, they are are rarely necessary.

-Jonathon

>