On Mon, 2024-04-01 at 23:37 +0200, Kevin Kofler via devel wrote:
Adam Williamson wrote:
> > * Deleting ALL files automatically generated or imported by autotools in
> > %prep, THEN running "autoreconf -i -f". (DO NOT trust autoreconf, it
> > would NOT have done the right thing here. Delete the files, THEN run
> > autoreconf.)
>
> No. This would not have avoided the attack, because it would not have
> regenerated the malicious file. We have already established that.
Just running autoreconf would not. As I wrote: "DO NOT trust autoreconf, it
would NOT have done the right thing here." Deleting the file with an
explicit rm -f in %prep, and THEN running autoreconf would have regenerated
(reimported, actually, this comes from gnulib and is copied unchanged, but
in any case it would NOT have contained the malicious additions) the file.
That said, autoreconf needs fixing too, because -f is supposed to regenerate
all files that can be regenerated, which is not happening. But if you
explicitly delete the files before running autoreconf, then it has to
regenerate them no matter what.
Sure, but as others posted upthread, this still doesn't help much. To
do this you have to know what m4s are 'standard' and will actually be
regenerated, and which are custom and you can't wipe them. And then an
attacker could just slip in an extra custom one instead of modifying a
'standard' one.
--
Adam Williamson (he/him/his)
Fedora QA
Fedora Chat: @adamwill:fedora.im | Mastodon: @adamw(a)fosstodon.org
https://www.happyassassin.net