Free software's not-so-eXZellent adventure
Free software's not-so-eXZellent adventure
Posted Apr 2, 2024 22:06 UTC (Tue) by AlecTavi (guest, #86342)Parent article: Free software's not-so-eXZellent adventure
This was particularly clever subterfuge. I read the linked commit diff on my phone, and missed how this disabled Landlock. I even copied the C source to check if there was some typo in a syscall I didn't notice from memory. Still, everything compiled and looked legitimate.
If others miss it too, there's a stray period in the diff. My eyes skipped right over it. When I deleted the diff formatting from the code, I removed the period and had a legitimate C file.
Posted Apr 2, 2024 23:07 UTC (Tue)
by rrolls (subscriber, #151126)
[Link] (4 responses)
What I'm curious about is: why does a file with a syntax error in it cause something to get silently disabled, rather than failing the build?
Posted Apr 2, 2024 23:32 UTC (Tue)
by viro (subscriber, #7872)
[Link]
Look through the autoconf tests done on some build...
Posted Apr 2, 2024 23:33 UTC (Tue)
by mjg59 (subscriber, #23239)
[Link]
Posted Apr 2, 2024 23:47 UTC (Tue)
by hmanning77 (subscriber, #160992)
[Link] (1 responses)
The issue is that there are apparently cases where the only reliable way to detect the presence or absence of a feature is to try to compile it. When the check fails in a single environment there is no automatic way to know whether the code failed to compile on that machine, or could never have compiled at all. The issue tracker discussion immediately dismisses the general problem as impossible to solve, and diverts to catching the easiest avenues for abuse.
I don't have any better ideas to offer though. I'm assuming it isn't feasible to say, "security features should be enabled by default as best practice and never automatically disabled". The root cause is that discovering available features is hard; could that be improved?
Posted Apr 7, 2024 16:12 UTC (Sun)
by mathstuf (subscriber, #69389)
[Link]
Yes, detecting the environment and changing behavior based on its state is an anti-pattern in my mind. This generally means that one should have things be on or off rather than "see if available and enable it if so". *Defaults* for things might make sense behind `--enable-sandboxing-features` so that packaging systems can use the same `configure` command line across multiple versions (with fine-grained disabling where necessary).
My main concern is that the same command line can result in vastly different builds just because some dependency was not made appropriately discoverable at the right time and you end up with a "box of chocolates"[1] build.
There *are* some exceptions to this:
- polyfills for basic platform APIs in order to get compatible behaviors (e.g., libcurl's detection of `send` argument qualifiers to avoid warnings)
Of course, one can also just memoize this information (`libuv` does this) and use the preprocessor to detect feature support with version checks.
Posted Apr 2, 2024 23:51 UTC (Tue)
by excors (subscriber, #95769)
[Link] (2 responses)
Posted Apr 3, 2024 5:48 UTC (Wed)
by chris_se (subscriber, #99706)
[Link]
One possibility could be that the original plan was to perform various changes that themselves were very innocuous-looking over a longer period of time, and that the end goal was to also backdoor the CMake build. (Maybe in a different manner, because the CMake build is used more in conjunction with vendor-distributed software, e.g. via conan, vcpkg, etc.) But that for some reason the timeline moved up and they had to pull the trigger early. (It has already been speculated that the systemd change to use dlopen() in the future may have forced the hand.) Or their intention was to also break the autotools variant, and they simply messed up by forgetting to add the dot to that check accidentally.
But unless the culprit(s) come(s) forward, we'll probably never know the reasoning behind it.
> (Or maybe it really was just a fat-finger; malicious people can still make innocent mistakes.)
Or this. Since they put in so much effort to actually seem legitimate as part of the social engineering, this may have also been an attempt to simply fix a legitimate issue properly that went wrong accidentally.
People have gone through all commits by the same author, and they have found a lot of things that with hindsight could be seen as malicious, but for some of these we'll probably never know whether they were very clever in attempting to introduce very subtle bugs, or they simple made honest mistakes and those commits were actually intended to just be part of the social engineering aspect to seem legitimate.
That said, since they have been shown to be an adversary, we should consider all subtle bugs to be of malicious intent out of an abundance of caution, even if on a philosophical level we'll probably never know the actual truth of that.
Posted Apr 3, 2024 15:42 UTC (Wed)
by draco (subscriber, #1792)
[Link]
Easier to explain away one typo than two…
Free software's not-so-eXZellent adventure
Free software's not-so-eXZellent adventure
defined in foo.h or is it in foo/bar.h"?
Free software's not-so-eXZellent adventure
Free software's not-so-eXZellent adventure
Free software's not-so-eXZellent adventure
- platform knowledge (e.g., never check Landlock on Windows)
Free software's not-so-eXZellent adventure
Free software's not-so-eXZellent adventure
Free software's not-so-eXZellent adventure