Sourceware mitigating and preventing the next xz-backdoor
Martin Uecker
muecker@gwdg.de
Sat Apr 6 15:59:34 GMT 2024
Am Samstag, dem 06.04.2024 um 15:00 +0200 schrieb Richard Biener:
> On Fri, Apr 5, 2024 at 11:18 PM Andrew Sutton via Gcc <gcc@gcc.gnu.org> wrote:
> >
> > >
> > >
> > >
> > > > I think the key difference here is that Autotools allows arbitrarily
> > > generated code to be executed at any time. More modern build systems
> > > require the use of specific commands/files to run arbitrary code, e.g.
> > > CMake (IIRC [`execute_process()`][2] and [`ExternalProject`][3]), Meson
> > > ([`run_command()`][1]), Cargo ([`build.rs`][4]).\
> > >
> > > To me it seems that Cargo is the absolute worst case with respect to
> > > supply chain attacks.
> > >
> > > It pulls in dependencies recursively from a relatively uncurated
> > > list of projects, puts the source of all those dependencies into a
> > > hidden directory in home, and runs Build.rs automatically with
> > > user permissions.
> > >
> >
> > 100% this. Wait until you learn how proc macros work.
>
> proc macro execution should be heavily sandboxed, otherwise it seems
> compiling something is enough to get arbitrary code executed with the
> permission of the compiling user. I mean it's not rocket science - browsers
> do this for javascript. Hmm, we need a webassembly target ;)
This would be useful anyhow.
And locking down the compiler using landlock to only access specified
files / directories would also be nice in general.
Martin
More information about the Binutils
mailing list