bug-standards
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNU Coding Standards, automake, and the recent xz-utils backdoor

From: Jacob Bachmeyer
Subject: Re: GNU Coding Standards, automake, and the recent xz-utils backdoor
Date: Sun, 31 Mar 2024 21:54:04 -0500
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.22) Gecko/20090807 MultiZilla/1.8.3.4e SeaMonkey/1.1.17 Mnenhy/0.7.6.0 
Eric Gallager wrote:

On Sun, Mar 31, 2024 at 3:20 AM Jacob Bachmeyer <jcb62281@gmail.com> wrote:

dherring@tentpost.com wrote:

[...]

The issue seems to be releases containing binary data for unit tests,
instead of source or scripts to generate that data.  In this case, that
binary data was used to smuggle in heavily obfuscated object code.

[...]


Maybe this is something that the GNU project could start making
stronger recommendations about.
The key issue seems to be generating binary test data during `make` or `make check`, using GNU poke, GNU Awk, Perl, Tcl, small C programs, or something else, instead of packaging it in the release. The xz-utils backdoor was smuggled into the repository wrapped in compressed test data. 


With a reproducible build system, multiple maintainers can "make dist"
and compare the output to cross-check for erroneous / malicious dist
environments.  Multiple signatures should be harder to compromise,
assuming each is independent and generally trustworthy.

This can only work if a package /has/ multiple active maintainers.


Well, other people besides the maintainers can also run `make dist`
and `make distcheck`. My idea was to get end-users in the habit of
running `make distcheck` themselves before installing stuff. And if
that's too much to ask of end users, I'd also point out that there are
multiple kinds of maintainer: besides the upstream maintainer, there
are also usually separate distro maintainers. Even if there's only 1
upstream maintainer, as was the case here, I still think that it would
be good to get distro maintainers in the habit of including `make
distcheck` as part of their own release process, before they accept
updates from upstream.
The problem with that is that `make distcheck` only verifies that the working tree can produce a reasonable release tarball. The backdoored xz-utils releases *would* *have* *passed* *this* *test* as far as I can determine. It catches errors like omitting files from the lists in Makefile.am. It will *not* catch a modified m4 file or questionable test data that has been properly listed as part of the release. 


Maybe GNU should establish a cross-verification signing standard and
"dist verification service" that automates this process?  Point it to
a repo and tag, request a signed hash of the dist package...  Then
downstream projects could check package signatures from both the
maintainer and such third-party verifiers to check that nothing was
inserted outside of version control.

Essentially, this would be an automated release building service:  upon
request, make a Git checkout, run autogen.sh or equivalent, make dist,
and publish or hash the result.  The problem is that an attacker who
manages to gain commit access to a repository may be able to launch
attacks on the release building service, since "make dist" can run
scripts.  The service could probably mount the working filesystem noexec
since preparing source releases should not require running (non-system)
binaries and scripts can be run by directly feeding them into their
interpreters even if the filesystem is mounted noexec, but this still
leaves all available interpreters and system tools potentially available.


Well, it'd at least make things more difficult for the attacker, even
if it wouldn't stop them completely.
Actually, no, it would open a *new* target for attackers---the release building service itself. Mounting the scratchpad noexec would help to complicate attacks on that service, but right now there is *no* central point for an attacker to hit to compromise releases. If a central release building service were set up, it would be a target, and an attacker able to arrange a persistent compromise of the service could then tamper with later releases as they are built. This should be fairly easy to catch, if an honest maintainer has a secure environment, ("Why the **** does the central release service tarball not match mine? And what the ******** is the extra code in this diff between its tarball and mine!?") but there is a risk that, especially for large projects, maintainers start relying on the central release service instead of building their own tarballs.
The problem here was not a maintainer with a compromised system---it seems that "Jia Tan" was a malefactor's sock puppet from the start. 


-- Jacob
reply via email to
[Prev in Thread] Current Thread [Next in Thread]