From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from simark.ca by simark.ca with LMTP id +anTMd9xEWan2iUAWB0awg (envelope-from ) for ; Sat, 06 Apr 2024 12:01:35 -0400 Authentication-Results: simark.ca; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.a=rsa-sha256 header.s=default header.b=YuGDAvj5; dkim-atps=neutral Received: by simark.ca (Postfix, from userid 112) id B71861E0C0; Sat, 6 Apr 2024 12:01:35 -0400 (EDT) Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) by simark.ca (Postfix) with ESMTPS id A25FE1E030 for ; Sat, 6 Apr 2024 12:01:33 -0400 (EDT) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 32ABB3858416 for ; Sat, 6 Apr 2024 16:01:33 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 32ABB3858416 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1712419293; bh=CdET5CCxQRkY66Bx0umXhiNLe/NdvGAbX+sDieRCWmI=; h=Subject:To:CC:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=YuGDAvj5iPhhOCFxlQlBgqJ/sadg82w/VkjIz5uq8DUUDU88Xih1byzcaEouRn5L0 MTKeY2SmO6SvVJLuPz2O3UCCIY/W4EAtyHhymyIQyfIxT8AeZHdrTGRZXZg5KrMXG/ 5jrRat2Qpifjc1U7hVybiqLwWcvPhSaF3fzS3FBA= Received: from mx-2023-1.gwdg.de (mx-2023-1.gwdg.de [134.76.10.21]) by sourceware.org (Postfix) with ESMTPS id DA6363858D33; Sat, 6 Apr 2024 15:59:42 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org DA6363858D33 ARC-Filter: OpenARC Filter v1.0.0 sourceware.org DA6363858D33 ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712419184; cv=none; b=f22lesrDcPr00v2OKFwzg22g317u8tbHxQBP840Q61kEBf1SvmqiZsEsfy48ziSXuXDZIgjYvpuDJloJ7DPsPOlj1p1IsPrjM1RRzTwti+1DwUqXrE4HYRyXoJo5WYkSQBffZ6/Xdq3HboojhcglJB3Jx7yYFl41SgnIUEatlf0= ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1712419184; c=relaxed/simple; bh=C61zb2b1ic8/viTWyE20qNvwjzPHh4W+Qn83nVq5TIQ=; h=DKIM-Signature:Message-ID:Subject:From:To:Date:MIME-Version; b=Ht/zAw6aL+Ct8HCnCVc0i1zK9ElTd/Teg6SY4D1w77DJBlSHDxOVAfXH8rtM6y4R3sAFmSaU/JZqyHUMUIL0ZhLdiJk3Gzub+9MssQidqkByYj/D4OpCAIHW4+Di8zbfYww8+F+AfFLcC2fy6Cp1OjcUNZ47ZnAtKHkT+TKzL9Q= ARC-Authentication-Results: i=1; server2.sourceware.org Received: from xmailer.gwdg.de ([134.76.10.29]:33574) by mailer.gwdg.de with esmtp (GWDG Mailer) (envelope-from ) id 1rt8S7-006quf-2z; Sat, 06 Apr 2024 17:59:36 +0200 Received: from excmbx-29.um.gwdg.de ([134.76.9.204] helo=email.gwdg.de) by mailer.gwdg.de with esmtp (GWDG Mailer) (envelope-from ) id 1rt8S7-0001nN-2B; Sat, 06 Apr 2024 17:59:36 +0200 Received: from vra-170-64.tugraz.at (10.250.9.199) by EXCMBX-29.um.gwdg.de (134.76.9.204) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.37; Sat, 6 Apr 2024 17:59:35 +0200 Message-ID: Subject: Re: Sourceware mitigating and preventing the next xz-backdoor To: Richard Biener , Andrew Sutton CC: Jonathon Anderson , Michael Matz , Ian Lance Taylor , Paul Koning , Paul Eggert , "Sandra Loosemore" , Mark Wielaard , , , , , Date: Sat, 6 Apr 2024 17:59:34 +0200 In-Reply-To: References: <20240329203909.GS9427@gnu.wildebeest.org> <20240401150617.GF19478@gnu.wildebeest.org> <12215cd2-16db-4ee4-bd98-6a4bcf318592@cs.ucla.edu> <6239192ba9ff8aad0752309a54b633dc75a57c77.camel@tugraz.at> <8e877d2f-01e0-c786-dea5-265edbdc0c07@suse.de> <8d84f989031aa34eae919f8ff2d3cb4e60faf6a7.camel@gwdg.de> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.4-2 MIME-Version: 1.0 X-Originating-IP: [10.250.9.199] X-ClientProxiedBy: EXCMBX-19.um.gwdg.de (134.76.9.203) To EXCMBX-29.um.gwdg.de (134.76.9.204) X-Virus-Scanned: (clean) by clamav X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Martin Uecker via Gdb Reply-To: Martin Uecker Errors-To: gdb-bounces+public-inbox=simark.ca@sourceware.org Sender: "Gdb" Am Samstag, dem 06.04.2024 um 15:00 +0200 schrieb Richard Biener: > On Fri, Apr 5, 2024 at 11:18=E2=80=AFPM Andrew Sutton via Gcc wrote: > >=20 > > >=20 > > >=20 > > >=20 > > > > I think the key difference here is that Autotools allows arbitraril= y > > > generated code to be executed at any time. More modern build systems > > > require the use of specific commands/files to run arbitrary code, e.g= . > > > CMake (IIRC [`execute_process()`][2] and [`ExternalProject`][3]), Mes= on > > > ([`run_command()`][1]), Cargo ([`build.rs`][4]).\ > > >=20 > > > To me it seems that Cargo is the absolute worst case with respect to > > > supply chain attacks. > > >=20 > > > It pulls in dependencies recursively from a relatively uncurated > > > list of projects, puts the source of all those dependencies into a > > > hidden directory in home, and runs Build.rs automatically with > > > user permissions. > > >=20 > >=20 > > 100% this. Wait until you learn how proc macros work. >=20 > proc macro execution should be heavily sandboxed, otherwise it seems > compiling something is enough to get arbitrary code executed with the > permission of the compiling user. I mean it's not rocket science - brows= ers > do this for javascript. Hmm, we need a webassembly target ;) This would be useful anyhow.=20 And locking down the compiler using landlock to only access specified files / directories would also be nice in general. Martin