From: Remco van 't Veer <remco@remworks.net>
To: Maxime Devos <maximedevos@telenet.be>
Cc: 56322@debbugs.gnu.org
Subject: bug#56322: Ruby packaging issues
Date: Thu, 25 Aug 2022 12:44:26 +0200 [thread overview]
Message-ID: <87sflkk3g5.fsf@remworks.net> (raw)
In-Reply-To: <171276f3-bcb2-abfc-b9a9-705059f8605f@telenet.be>
2022/08/24 20:38, Maxime Devos:
> We have a bunch of old rubies packaged, maybe it can be generated with
> one of the old versions? Though possibly the old versions have the
> same problem, I haven't checked.
Older rubies need ruby to compile too, I checked. To totally getting
rid of parse.c is not easy.
> If not: fully properly generating it might not be possible, but
> something in-between could be an option:
>
> 1. First, use the pre-generated parse.c.
> 2. Once ruby is built, regenerate the parse.c, and verify that it is
> the same as the old parse.c (ignoring the timestamp)
>
>> What's to gain by this?
>
> (1) I would assume it is much easier to hide malware in a generated
> file like parse.c than in the real source code (*) (IIRC, the .c code
> generated by bison is much longer than the .y). By generating the
> parse.c, the potential issue is side-stepped; any security reviewers
> wouldn't even have to look at parse.c because the pre-generated
> parse.c isn't used, it's regenerated.
By using one ruby to support compiling the others said security reviewer
can focus on one particular parse.c. It's big but reviewing it seems
doable but I am no security reviewer.
> (2) Also: generators like Bison can have bugs, fixed in later
> versions. Now imagine that Bison had, say, a buffer overflow bug, and
> that distro's just used the pre-generated parse.c. Then once a fixed
> version of Bison comes out, we would have to check every package to
> see if it has a pre-generated parser. It would be much less stressful
> to just always generate parsers from source, then once the version of
> Bison in Guix is updated then all packages automatically get the
> buffer overflow fix.
>
> I don't think my in-between proposal helps much with (1) in case of a
> competent attacker (though it could stop some insufficiently
> sophisticated attacks where the parse.c malware doesn't try to subvert
> the later check), but it still helps with (2) -- it at least detects
> if ruby used an old bison (and hence that a patch might be in order)
The two phase build approach (first building with parse.c and then using
that ruby as native-input for a package with parse.c removed) seems to
work but with some notes. Rubies 2.7 and up work fine with bison
current in guix (bison-3.7.6) but ruby-2.6 (and possibly down) don't
because they trigger some incompatibility between bison-3.5.1 (stated as
parse.c generator in ruby-2.6) and bison-3.7.6.
I tried bison-3.0 from gnu/packages/bison for ruby-2.6 and it works but
using that kinda defeats the ".. automatically get the buffer overflow
fix" argument. I'd say, it doesn't really matter for ruby-2.6 and down
since they are EOL anyway and should at some point be removed from guix.
I'll post a patch after this message for feedback. In it a new package
is introduced based on ruby-2.7 named baseruby which is compiled with
the parse.c from the tarball, ruby-2.7 and up will delete parse.c before
build and have extra native-inputs on baseruby and bison to support the
magic.
Cheers,
Remco
next prev parent reply other threads:[~2022-08-25 10:45 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-30 11:15 bug#56322: Ruby packaging issues Maxime Devos
2022-08-24 15:24 ` Remco van 't Veer
2022-08-24 18:38 ` Maxime Devos
2022-08-25 10:44 ` Remco van 't Veer [this message]
2022-08-24 18:41 ` Maxime Devos
2022-08-24 15:27 ` bug#56322: [PATCH 0/2] " Remco van 't Veer
2022-08-24 15:27 ` bug#56322: [PATCH 1/2] gnu: ruby: trigger autotools bootstrap Remco van 't Veer
2022-08-24 15:27 ` bug#56322: [PATCH 2/2] gnu: ruby: fix unbundling of libffi for inheriting rubies Remco van 't Veer
2022-08-25 10:45 ` bug#56322: [PATCH] gnu: ruby: regenerate parse.c Remco van 't Veer
2022-10-08 10:01 ` bug#56322: Debbug 56322, Ruby packaging issues, ping? Remco van 't Veer
2022-10-09 9:15 ` Maxime Devos
2022-10-10 5:05 ` Remco van 't Veer
2022-10-10 10:27 ` Maxime Devos
2022-10-12 13:35 ` bug#56322: [PATCH core-updates 0/3] Ruby packaging issues Remco van 't Veer
2022-10-12 13:35 ` bug#56322: [PATCH core-updates 1/3] gnu: ruby: trigger autotools bootstrap Remco van 't Veer
2022-10-12 13:35 ` bug#56322: [PATCH core-updates 2/3] gnu: ruby: fix unbundling of libffi for inheriting rubies Remco van 't Veer
2022-10-12 13:35 ` bug#56322: [PATCH core-updates 3/3] gnu: ruby: regenerate parse.c Remco van 't Veer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sflkk3g5.fsf@remworks.net \
--to=remco@remworks.net \
--cc=56322@debbugs.gnu.org \
--cc=maximedevos@telenet.be \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).