| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Security lessons from liblzma |
| Date: | 2024-03-29 22:37:24 |
| Message-ID: | ZgdCpFThi9ODcCsJ@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
You might have seen reports today about a very complex exploit added to
recent versions of liblzma. Fortunately, it was only enabled two months
ago and has not been pushed to most stable operating systems like Debian
and Ubuntu. The original detection report is:
https://www.openwall.com/lists/oss-security/2024/03/29/4
And this ycombinator discussion has details:
https://news.ycombinator.com/item?id=39865810
It looks like an earlier commit with a binary blob "test data"
contained the bulk of the backdoor, then the configure script
enabled it, and then later commits patched up valgrind errors
caused by the backdoor. See the commit links in the "Compromised
Repository" section.
and I think the configure came in through the autoconf output file
'configure', not configure.ac:
This is my main take-away from this. We must stop using upstream
configure and other "binary" scripts. Delete them all and run
"autoreconf -fi" to recreate them. (Debian already does something
like this I think.)
Now, we don't take pull requests, and all our committers are known
individuals, but this might have cautionary lessons for us.
--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com
Only you can decide what is important to you.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Thomas Munro | 2024-03-29 22:48:35 | Re: Security lessons from liblzma |
| Previous Message | Noah Misch | 2024-03-29 22:17:24 | Re: [EXTERNAL] Re: Add non-blocking version of PQcancel |