public inbox for [email protected]  
help / color / mirror / Atom feed
From: Bruce Momjian <[email protected]>
To: PostgreSQL-development <[email protected]>
Subject: Security lessons from liblzma
Date: Fri, 29 Mar 2024 18:37:24 -0400
Message-ID: <[email protected]> (raw)

You might have seen reports today about a very complex exploit added to
recent versions of liblzma.  Fortunately, it was only enabled two months
ago and has not been pushed to most stable operating systems like Debian
and Ubuntu.  The original detection report is:

        https://www.openwall.com/lists/oss-security/2024/03/29/4

And this ycombinator discussion has details:

        https://news.ycombinator.com/item?id=39865810

        It looks like an earlier commit with a binary blob "test data"
        contained the bulk of the backdoor, then the configure script
        enabled it, and then later commits patched up valgrind errors
        caused by the backdoor. See the commit links in the "Compromised
        Repository" section.

and I think the configure came in through the autoconf output file
'configure', not configure.ac:

        This is my main take-away from this. We must stop using upstream
        configure and other "binary" scripts. Delete them all and run
        "autoreconf -fi" to recreate them. (Debian already does something
        like this I think.)

Now, we don't take pull requests, and all our committers are known
individuals, but this might have cautionary lessons for us.

-- 
  Bruce Momjian  <[email protected]>        https://momjian.us
  EDB                                      https://enterprisedb.com

  Only you can decide what is important to you.






view thread (14+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected]
  Subject: Re: Security lessons from liblzma
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox