Re: Security lessons from liblzma

On Sat, Mar 30, 2024 at 04:50:26PM -0400, Robert Haas wrote:
> On Fri, Mar 29, 2024 at 7:00 PM Andres Freund <andres(at)anarazel(dot)de> wrote:
> > I am doubtful that every committer would find something sneaky hidden in
> > e.g. one of the test changes in a large commit. It's not too hard to hide
> > something sneaky. I comparison to that hiding something in configure.ac seems
> > less likely to succeed IMO, that imo tends to be more scrutinized. And hiding
> > just in configure directly wouldn't get you far, it'd just get removed when
> > the committer or some other committer at a later time, regenerates configure.
>
> I agree with this. If I were trying to get away with a malicious
> commit, I'd look for files that other people would be unlikely to
> examine closely, or would have difficulty examining closely. Test data
> or test scripts seem like great possibilities. And I also would like
> it to be part of some relatively large commit that is annoying to read
> through visually. We don't have a lot of binary format files in the
> tree, which is good, but there's probably some things like Unicode
> tables and ECPG expected output files that very, very few people ever
> actually examine. If we had a file in the tree that looked based on
> the name like an expected output file for a test, but there was no
> corresponding test, how many of us would notice that? How many of us
> would scrutinize it? Imagine hiding something bad in the middle of
> that file somewhere.

So, in this case, the hooks were in 'configure', but not configure.ac,
and the exploit was in a test file which was in the tarball but _not_ in
the git tree. So, they used the obfuscation of 'configure's syntax, and
the lack of git oversight by not putting the test files in the git tree.

--
Bruce Momjian <bruce(at)momjian(dot)us> https://momjian.us
EDB https://enterprisedb.com

Only you can decide what is important to you.