Conclusions from CVE-2024-3094 (libxz disaster)
Andre Heider
a.heider at gmail.com
Wed Apr 3 03:34:01 PDT 2024
On 03/04/2024 2:11 am, Daniel Golle wrote:
> ... and that crazy m4 script had to be noticed. As a diff one would ask:
> Why was that change necessary?
While I agree with most of your points, I couldn't disagree more with
the "had to be noticed" part :P
I occasionally skim over treewide diffs. When I do, and there're like
(exaggerating to illustrate my point) tens of thousand of lines of
autohell crap in there, I skip that eye cancer part for sanity reasons.
So in that regard, the buildsystem part of this backdoor was a smart
choice. The chances of anybody looking closely at that is tiny. You
would need to another reason to get that masochistic. And that is what
happened here: the bad actor dared to slow down postgresql.
This disaster exposes multiple problems. In my mind, autotools is one of
them. But this isn't supposed to be yet another X or Y is better than
autotools argument, my point is that the sheer amount of bundled build
system code enlarges the attack surface by a significant degree. The
chances of spotting the equivalent in e.g. a meson.build or
CMakeLists.txt file are way higher.
Cheers,
Andre
More information about the openwrt-adm
mailing list