[tcpdump-workers] Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

[Denis Ovsienko]

On Mon, 01 Apr 2024 09:53:38 -0400
Michael Richardson  wrote:

> The entire openwrt thread is at:
> https://lists.openwrt.org/pipermail/openwrt-devel/2024-March/042499.html
> continuing at:
> https://lists.openwrt.org/pipermail/openwrt-devel/2024-April/042521.html
> 
> 
> Daniel Golle  wrote:
> > However, after reading up about the details of this backdoored
> > release tarball, I believe that the current tendency to use
> > tarballs rather than (reproducible!) git checkouts is also
> > problematic to begin with.  
> 
> > Stuff like 'make dist' seems like a weird relic nowadays,
> > creates more problems than it could potentially solve,
> > bandwidth is ubiquitous, and we already got our own tarball
> > mirror of git checkouts done by the buildbots (see
> > PKG_MIRROR_HASH). So why not **always** use that instead of
> > potentially shady and hard to verify tarballs?  
> I wonder if we should nuke our own make tarball system.

The short answer is "no".  Before I go into detail, please try not to
take the following comments personally, but to focus on the problem.
The problem seems to be a bit bigger than this project, so this in part
preemptively addresses arguments you did not make, but other people did
in other similar arguments about the same matter.

First of all, the root cause is not a technical problem: a widely used
software project got compromised, on this occasion a developer was the
attack vector.  Some people feel more angry or scared about it than
usual (this is neither the first nor the last nor the biggest incident
of this kind, truth be told) and I sympathise with these temporary
emotions.  However, I do not sympathise with the widespread urge to
demonstrate control over the situation by any means or to vent the
frustration right now at... something... anything really, does not
matter, whatever happens to be in plain sight right now.

Likewise, the proposed move would not be a technical solution, or a
solution at all.  It would scratch a momentary emotional itch today
with no regard to the technical lessons learned yesterday and technical
problems to be solved tomorrow.  Let's try to apply a bit of critical
thinking to the matter:

* Speaking of Autoconf imperfections, please note that CMake has been
  available for several years.  That said, CMake project definitions
  are not immune to being used as a delivery vehicle for an exploit
  into an open source project.  CMake executables are not immune to
  being compromised.  make (whether GNU or not) is not immune.  The
  compiler is not immune.  The linker is not immune.  The libc is not
  immune.  The OS is not immune.  And (now we are getting to the
  difficult part) neither hardware nor VM hypervisors are immune to
  being compromised.  Let's leave Autoconf in peace, it is not the root
  cause.

* Speaking of imperfections of published signed tarballs, please note
  that the public git repositories have been available for many years.
  That said, a git repository is not immune to being used as a delivery
  vehicle for an exploit into an open source project.  Just labelling
  something with "stored securely in git" does not automatically
  eliminate the threat.  For the avoidance of doubt, git as a piece of
  software is not immune to being compromised.  And online services that
  host git repositories are not immune either.

  Considering the problem of getting the source code by some means, the
  only way to guarantee having the exact actual source code is actually
  to have the exact actual source code.  Which in git parlance means
  actually having a local git clone that (possibly among many other
  things) includes the very specific revision of interest, which
  overshoots the problem space massively.  If you look at kernel.org
  and compare downloading of a tarball of a specific kernel version to
  cloning a repository (which? how deep?) and identifying the correct
  tag, the difference should be obvious.  These two solutions address
  two different problems, neither is the root cause and neither is
  immune to being compromised.

  To demonstrate the difference between the two solution spaces further,
  git repositories by design do not store file modification times or
  permissions other than the executable bit, so in practice two
  identical, as far as git is concerned, clones tend to be different,
  as far as "ls -lR" is concerned.  Let's leave signed tarballs in
  peace.

  There is a valid concern of whether a tarball is a close enough
  result of "make releasetar" for the respective git tag.  Let's not
  guess, let's prove it.  Would anybody like to implement a script that
  would compare the contents of https://www.tcpdump.org/release/ with
  the git repositories?

* The "all git repositories are already available" argument does not
  hold, for example, when one starts with a fresh install of NetBSD
  with just make, cc and a tarball of pkgsrc release.  Before you can
  use git, 

[tcpdump-workers] Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

[Bill Fenner]

On Mon, Apr 1, 2024 at 11:06 AM Michael Richardson  wrote:

>
> Bill Fenner  wrote:
> > mcr suggested:
> >> I wonder if we should nuke our own make tarball system.
>
> > The creation of a tarball and its signature gives a place to hang
> one's hat
> > about origin of code - "someone with the right key claims that this
> tarball
> > genuinely reflects what the project wants to distribute".  Is there a
> > similar mechanism for a git tag?
>
> Yes, git tag -s, lets you sign a commit with a PGP key.
>

Just trying to brainstorm about how this fits with build systems like
Arista's, where we store the tarball and check the signature at build time
- I suppose it just turns into "vendor the git tag into a local repo and
check the signature at build time".

I have no objection to either requiring people to have autotools, or going
cmake-only.  (I mean, I personally find cmake hard to use, but that
shouldn't influence what the project does.)

  Bill
___
tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org
To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tcpdump-workers] Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

[Michael Richardson]

Guy Harris  wrote:
> If so, do we
> 1) require people to have autotools installed and run ./autogen.sh
> or
> 2) generate the configure scripts on some standard platform and check it 
in

3) stop using autoconf, cmake only.



___
tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org
To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tcpdump-workers] Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

[Francois-Xavier Le Bail via tcpdump-workers]

--- Begin Message ---
On 01/04/2024 20:18, Guy Harris wrote:
> On Apr 1, 2024, at 6:53 AM, Michael Richardson  wrote:
> 
>> I wonder if we should nuke our own make tarball system.
> 
> I.e., replace:
> 
>   to get {libpcap,tcpdump,tcpslice} version X.Y.Z, download 
> {libpcap,tcpdump,tcpslice}-X.Y.Z.tar.{compression-suffix}
> 
> with
> 
>   to get {libpcap,tcpdump,tcpslice} version X.Y.Z, do
> 
>   git clone {repository}
> 
>   and then check out Git tag {libpcap,tcpdump,tcpslice}-X.Y.Z?
> 
> If so, do we
> 
>   1) require people to have autotools installed and run ./autogen.sh

I vote for 1).

--- End Message ---
___
tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org
To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tcpdump-workers] Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

[Guy Harris]

On Apr 1, 2024, at 6:53 AM, Michael Richardson  wrote:

> I wonder if we should nuke our own make tarball system.

I.e., replace:

to get {libpcap,tcpdump,tcpslice} version X.Y.Z, download 
{libpcap,tcpdump,tcpslice}-X.Y.Z.tar.{compression-suffix}

with

to get {libpcap,tcpdump,tcpslice} version X.Y.Z, do

git clone {repository}

and then check out Git tag {libpcap,tcpdump,tcpslice}-X.Y.Z?

If so, do we

1) require people to have autotools installed and run ./autogen.sh

or

2) generate the configure scripts on some standard platform and check 
it in

so that they have a configure script?  Or is there some other way to arrange 
that people can get the configure scripts?
___
tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org
To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tcpdump-workers] Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

[Michael Richardson]

Bill Fenner  wrote:
> mcr suggested:
>> I wonder if we should nuke our own make tarball system.

> The creation of a tarball and its signature gives a place to hang one's 
hat
> about origin of code - "someone with the right key claims that this 
tarball
> genuinely reflects what the project wants to distribute".  Is there a
> similar mechanism for a git tag?

Yes, git tag -s, lets you sign a commit with a PGP key.



___
tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org
To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tcpdump-workers] Re: openwrt Conclusions from CVE-2024-3094 (libxz disaster)

[Bill Fenner]

mcr suggested:
> I wonder if we should nuke our own make tarball system.

The creation of a tarball and its signature gives a place to hang one's hat
about origin of code - "someone with the right key claims that this tarball
genuinely reflects what the project wants to distribute".  Is there a
similar mechanism for a git tag?

  Bill
___
tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org
To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s

[tcpdump-workers] openwrt Conclusions from CVE-2024-3094 (libxz disaster)

[Michael Richardson]

The entire openwrt thread is at:
https://lists.openwrt.org/pipermail/openwrt-devel/2024-March/042499.html
continuing at:
https://lists.openwrt.org/pipermail/openwrt-devel/2024-April/042521.html


Daniel Golle  wrote:
> However, after reading up about the details of this backdoored release
> tarball, I believe that the current tendency to use tarballs rather
> than (reproducible!) git checkouts is also problematic to begin with.

> Stuff like 'make dist' seems like a weird relic nowadays, creates more
> problems than it could potentially solve, bandwidth is ubiquitous, and
> we already got our own tarball mirror of git checkouts done by the
> buildbots (see PKG_MIRROR_HASH). So why not **always** use that
> instead of potentially shady and hard to verify tarballs?

I wonder if we should nuke our own make tarball system.

--
]   Never tell me the odds! | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works|IoT architect   [
] m...@sandelman.ca  http://www.sandelman.ca/|   ruby on rails[

___
tcpdump-workers mailing list -- tcpdump-workers@lists.tcpdump.org
To unsubscribe send an email to tcpdump-workers-le...@lists.tcpdump.org
%(web_page_url)slistinfo%(cgiext)s/%(_internal_name)s