From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id ECq1AQsCgGEI0wAAgWs5BA (envelope-from ) for ; Mon, 01 Nov 2021 16:04:43 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id WMkEOQoCgGFtdgAA1q6Kng (envelope-from ) for ; Mon, 01 Nov 2021 15:04:42 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 90A4524C3A for ; Mon, 1 Nov 2021 16:04:42 +0100 (CET) Received: from localhost ([::1]:43354 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mhYrZ-0001Av-FQ for larch@yhetil.org; Mon, 01 Nov 2021 11:04:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52598) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhYrH-00018Y-3j for guix-devel@gnu.org; Mon, 01 Nov 2021 11:04:24 -0400 Received: from imta-37.everyone.net ([216.200.145.37]:36162 helo=imta-38.everyone.net) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mhYrC-0001QF-Ub for guix-devel@gnu.org; Mon, 01 Nov 2021 11:04:22 -0400 Received: from pps.filterd (localhost.localdomain [127.0.0.1]) by imta-38.everyone.net (8.16.0.43/8.16.0.43) with SMTP id 1A1F3xgi015084; Mon, 1 Nov 2021 08:04:10 -0700 X-Eon-Originating-Account: Hk-HnaZkWh7l96jekc4nYenujC_LaKpM5eWxKNONIOA X-Eon-Dm: m0116293.ppops.net Received: by m0116293.mta.everyone.net (EON-AUTHRELAY2 - 53b92663) id m0116293.616b210d.1cb29d; Mon, 1 Nov 2021 08:04:09 -0700 X-Eon-Sig: AQMHrIJhgAHpRnNfRgIAAAAD,0f387496193f697f3f18d155ee0f9129 X-Eip: MX6ftZ04S2NqZbJDZP7VwmTqt1-v0K3YY5wOaPzomho Date: Mon, 1 Nov 2021 16:04:00 +0100 From: Bengt Richter To: Leo Famulari Subject: Re: "Trojan Source" (CVE-2021-42574 and CVE-2021-42694): can 'guix lint' help someway? Message-ID: <20211101150400.GA11627@LionPure> References: <87fssgi04h.fsf@xelera.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Proofpoint-GUID: OSTvvLCxNFiKoNmBweDKQHlTSa3nwthp X-Proofpoint-ORIG-GUID: OSTvvLCxNFiKoNmBweDKQHlTSa3nwthp X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.425, 18.0.790 definitions=2021-11-01_06:2021-11-01, 2021-11-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 impostorscore=0 mlxlogscore=999 mlxscore=0 phishscore=0 clxscore=1034 malwarescore=0 priorityscore=1501 spamscore=0 lowpriorityscore=0 adultscore=0 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000 definitions=main-2111010087 Received-SPF: pass client-ip=216.200.145.37; envelope-from=bokr@oz.net; helo=imta-38.everyone.net X-Spam_score_int: 2 X-Spam_score: 0.2 X-Spam_bar: / X-Spam_report: (0.2 / 5.0 requ) HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Bengt Richter Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1635779082; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=BB7W/MGIrlCwgoZXX9wiOU9ybjSoMJVwymSh82Zv7SY=; b=A4msMGJu/jcb9ztvCgBAGxZvE45yP7Fjx5WE3N8ELtpdtlKb9wWXa+4eXoaKZd6mXFHCbL IdoLDiyeXso8n9/9eBCa+3P43JZTHioxFYA3sFqGqJaYnq1S+Zo3CBIz9bmWIyJZZJZ8OI jwrXR4pCzMSxGCq7fSfD2bwvJUxWLoPteKrBKQUS1oyON8MF9h7Wy1nUij5tvdZ5Z+So5h TtLyiRbJEtvD3Fw9CSFAr12svrIvsQe3qq6totH3Y+GuI0RTV//P8By27hUVcRs1LQL1KM dPAV35v32rEsiO5z0Lv8fWroo7wFatyR9Kp/ibzGZTj8N9jLn40gIXfgBSMR0w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1635779082; a=rsa-sha256; cv=none; b=MW2QAf6Qyj2huibX9fSsTDETKGttltTzDen3Z83wlQNOU/oyWa9/zCp7gWZ5EbOiMHqS2+ XEriwH8znMcP4D04BUqyAsRWQVcMpIe6K7zDqtRJjfDqh5uvDIk6VcbpDQ2MT+lmRsfm4f QKP8fHqMPk0azWyX1QtEQ/utP1ckTCeza8pECHXM8qIoYJr8d+hpzIXvsZPvZOQ53YOzwW zHqQ/KtXkDqyOoOHWvwV8wFoI4Wga3nq9i3aZVFff1y73VyTPjsWLHHdSbLu2pMd77c0q7 rlvcXwJ5EJoBa1lbgIIxEJifztln6FoYu1yTRL1USpcLxVFKG5lM9FpmU9FeoQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -1.55 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 90A4524C3A X-Spam-Score: -1.55 X-Migadu-Scanner: scn0.migadu.com X-TUID: mr0V9wiYzAOF Hi, On +2021-11-01 09:38:28 -0400, Leo Famulari wrote: > On Mon, Nov 01, 2021 at 12:30:38PM +0100, Giovanni Biscuolo wrote: > > as probably many of you have discovered, today was announced two new > > vulnerabilities that exploits the "bidirectional override" Unicode > > codepoints feature, making it possible to hide malicious source code in > > comments and literal strings /if/ the code review tool (e.g. editor) > > does not show this. > > We need to check our own Git repository history for the tricky > codepoints. > > > Is there a way for "guix lint" to check for the listed (other?) > > "dangerous" codepoints and warn code reviewers? > > Yeah, we could implement this. It might be expensive but one has to > unpack the source code anyways. > > However, I think that this attack is, in general, not within the scope > of Guix's security model, because: > > 1) Guix implicitly trusts the source code that it fetches from upstream. > > 2) Guix explicitly fetches the source code from upstream — Guix > committers do not provide a copy of the upstream code (of unprovable > provenance) as they do in other distros. > > If an attacker can make malicious modifications to the code distributed > by an upstream project, it's not relevant to Guix if they use homoglyphs > or a buffer overflow. Guix developers do not inspect upstream source ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > code for vulnerabilities. ^^^^^^^^^^^^^^^^^^^^^^^^ > ... but: they do become aware of such vulnerabilities, and could e.g. manually append a line to a blacklist, hash-identifying upstream files to avoid their further use by guix, directly or in dependencies. IOW, ISTM the trusting of upstream should not be unconditional, and trust policy implementation should make possible instantly effective (i.e., on blacklist update) firewalling of guix users from further downloading of the tainted files, and hopefully automatic identification of past potentially corrupting uses. I imagine some developers might want to allow downloading blacklisted files e.g. to test workarounds etc, so some --allow-blacklisted=foofile,barfile,... option might be needed, but the casual client installing a guix package should be protected. In the latter case, maybe an automatic substitute for the backlisted file could be provided that would generate informative hints when used in a build instead of aborting the whole thing. A flag in the blacklist line might be a way to select alternative automated actions? > What do others think? > -- Regards, Bengt Richter