Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122811 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id EBCD81A009C for ; Fri, 29 Mar 2024 22:31:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1711751516; bh=gB6bKswU2e74JGs8/hgGco2b0S1bERgSSjS+7T1vfbI=; h=Date:From:To:Subject:From; b=BrhD2OJtzYfN5yeOu9rpNDAuxmPjiTHfpxsZ2DM3n88J2NFOPS6Y/40owSUWUKYt+ WEcI7BAffbbaane90XxKVUsuUTD6IepNnDv3TAcv7B8GaRc+XIiIwhA01a98HAjhCg 2pRckRvLg0mpeUfm96w+LVmrHVWwYDL/7gSf0x2s2LGtuDMDdDR4ukz6i69u7xRQ5D 0Wm80NsWpViKypsHLHG1A8dlvTu+BXeyAnk2oa8Lx+61EcoxlR5TtkS64Xy4oQDMyB X74a4V6wdPMOQCGBG7V1PZvSvC+P+P68ooC4Mtgrf6Yo/qvmMC7qxp0ubMmwVsVeY1 JZrW0QCkLrW8A== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 36175180075 for ; Fri, 29 Mar 2024 22:31:56 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Fri, 29 Mar 2024 22:31:55 +0000 (UTC) Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-3416df43cabso1631469f8f.3 for ; Fri, 29 Mar 2024 15:31:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711751488; x=1712356288; darn=lists.php.net; h=mime-version:subject:message-id:to:from:date:from:to:cc:subject :date:message-id:reply-to; bh=Hmy4Mn3aRaFfbNSb17maEsHVleaREchelrKoThUKZV0=; b=PNDCathXpjJIFzdSBmyHbvDzlqskP8yPrWlKjRnjGbWaxfs2DpytaNuaUXwxkKAtnH dVcQ5lYcbYxISzX8Qq+GrGGS58ANcOnAmdYQuvk5/GN64/9PiBbI2cKUidf61UZcSHYy 2W0/gVBvd6I/mPBED2fHHgDoS2RayInIgcG6Lgzc+j3QAOcJDL35iM4BvFkI+RhspbF0 rCmDYo6m+sNbd3F8BY5hXrfG7TEKA47ZcIzLFO6Cq0v8wOMEz9vCIFVwZHA2/zLlMI00 GJU8tPG9ZE8scRKJfky4nUmAKvSqXwTUyzOQBMDZuFMKLVQgyJANMbmXMBE5YIf123Ti aJNg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711751488; x=1712356288; h=mime-version:subject:message-id:to:from:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Hmy4Mn3aRaFfbNSb17maEsHVleaREchelrKoThUKZV0=; b=W5nGv+OrDqjMLR4aTH9Fb8tq82A94EmTcMDRuPX8iospCo+CrGuvt5GWKOyBXcVWPd TUv4iOU6vVqrB/Nb7LTHqdFv/6qxJXODX9ElyiexgSmtAFj5xnUf5fezr51RogeswHPf jcNBhUXuUedoFv5gf1coSRbGsRhLPEx4bQ8X+I7w++MUHpaPNV19m9Aqg/mRQbdRa0/w nUieVQlqYw/e8UuVJurVXHgBhKUcoHv9wLZWO+AeQrX4SRssMiufyB/BHH37sN+bg9sg hwyGUx5g5LHl4fsyhSZduU5JPBZ288BCQ6oMgPjY1S+sm/B9Tg2pIIOIkcAuxx0hwQh/ X5aw== X-Forwarded-Encrypted: i=1; AJvYcCX8RJIFdvsq4W38/yz1ZBw2eMV55h0ZQ4ggfc3vtU/sStvEihREiY9gVPF2X6C0TgSN73DMq4rxgtIdCEmqpcnZfKm63Z3isg== X-Gm-Message-State: AOJu0YxiQtn+YJ1HiuMNOFfpGiWis77bR8/++tZwS4LZWvosJu1pbphG edHYpuUpnVBkLEyWGTZoBSKif7CSmPhQ+4hf1AdDIWswl4py9FIJLU6/r51n X-Google-Smtp-Source: AGHT+IGncGm9fi8gu4zqJnUZ0v71RJbLXco4hhuBgn3YtcJ8l6EgbNTa5WAm8sZ2qX9hPOZTjBdKWw== X-Received: by 2002:adf:e011:0:b0:33e:7896:a9d7 with SMTP id s17-20020adfe011000000b0033e7896a9d7mr2290236wrh.67.1711751487974; Fri, 29 Mar 2024 15:31:27 -0700 (PDT) Received: from [127.0.0.1] (as198747.daniil.it. [128.116.205.77]) by smtp.gmail.com with ESMTPSA id s7-20020adfecc7000000b0033e239040d8sm5040600wro.84.2024.03.29.15.31.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 29 Mar 2024 15:31:27 -0700 (PDT) Date: Fri, 29 Mar 2024 23:31:26 +0100 (GMT+01:00) To: security@php.net, internals@lists.php.net Message-ID: Subject: [PHP-DEV] Consider removing autogenerated files from tarballs Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_4_253057831.1711751487023" X-Correlation-ID: From: daniil.gentili@gmail.com (Daniil Gentili) ------=_Part_4_253057831.1711751487023 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable In light of the recent supply chain attack in xz/lzma, leading to a backdoo= r in openSSH (https://www.openwall.com/lists/oss-security/2024/03/29/4), I = believe that it would be a good idea to remove the huge attack surface offe= red by the pre-generated autoconf build scripts and lexers, offered in the = release tarballs. In particular, the xz supply chain attack injected the exploit with a few o= bfuscated lines, manually added to the end of the pre-generated configure s= cript, that was only bundled in the tarballs. Even if the exploits themselves were committed to the repo in the form of t= est files, the code that actually injected the exploit in the library was n= ot committed to the repo, and was only present in the pre-generated configu= re script in the tarball: this injection mode makes sense, as extra files i= n the tarball not present in the git repo would raise suspicions, but machi= ne-generated configure scripts containing hundreds of thousands of lines of= code not present in the upstream VCS are the norm, and are usually not che= cked before execution. Specifically in the case of PHP, along from the configure script, the tarba= ll also bundles generated lexer files which contain actual C code, which is= an additional attack vector, i.e. here's the diff between the tarball of t= he 8.3.4 release, and the PHP-8.3.4 tag on the git repo: ``` ~ $ diff -r php-8.3.4 php-src -q Only in php-src: .git=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Files php-8.3.4/NEWS and php-src/NE= WS differ=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Files php-8.3.4/Zend/zend.h and php= -src/Zend/zend.h differ=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Only in php-8.3.4/Zend: zend_= ini_parser.c Only in php-8.3.4/Zend: zend_ini_parser.h Only in php-8.3.4/Zend: zend_ini_parser.output=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Only in = php-8.3.4/Zend: zend_ini_scanner.c Only in php-8.3.4/Zend: zend_ini_scanner_defs.h Only in php-8.3.4/Zend: zend_language_parser.c=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Only in = php-8.3.4/Zend: zend_language_parser.h=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Only in php-8.3.4= /Zend: zend_language_parser.output Only in php-8.3.4/Zend: zend_language_scanner.c Only in php-8.3.4/Zend: zend_language_scanner_defs.h=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Only in php-8.3.4: configure=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Files php-8.3.4/configure.ac and= php-src/configure.ac differ=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Only in php-8.3.4/ext/json: json_pa= rser.tab.c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Only in php-8.3.4/ext/json: json_parse= r.tab.h Only in php-8.3.4/ext/json: json_scanner.c Only in php-8.3.4/ext/json: php_json_scanner_defs.h=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Only in php-8.3.4/ext/pdo: pdo_sql_= parser.c Only in php-8.3.4/ext/phar: phar_path_check.c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Only = in php-8.3.4/ext/standard: url_scanner_ex.c Only in php-8.3.4/ext/standard: var_unserializer.c Only in php-8.3.4/main: php_config.h.in Files php-8.3.4/main/php_version.h and php-src/main/php_version.h differ=C2= =A0=C2=A0 Only in php-8.3.4/pear: install-pear-nozlib.phar=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Only in = php-8.3.4/sapi/phpdbg: phpdbg_lexer.c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Only in php= -8.3.4/sapi/phpdbg: phpdbg_parser.c=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Only in php-8.3.4/sa= pi/phpdbg: phpdbg_parser.h Only in php-8.3.4/sapi/phpdbg: phpdbg_parser.output ``` To prevent attacks from malevolent/compromised RMs, I propose completely re= moving all autogenerated files from the release tarballs, and ensuring thei= r content exactly matches the content of the associated git tag (this means= also removing the -dev prefix from the version number in main/php_version.= h, Zend/zend.h, configure.ac and NEWS in the git tag). Of course this means that users will have to generate the build scripts whe= n compiling PHP, as when installing PHP from the VCS repo. I'm sending a copy of this email to security@php.net as well. ------=_Part_4_253057831.1711751487023 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit In light of the recent supply chain attack in xz/lzma, leading to a backdoor in openSSH (https://www.openwall.com/lists/oss-security/2024/03/29/4), I believe that it would be a good idea to remove the huge attack surface offered by the pre-generated autoconf build scripts and lexers, offered in the release tarballs.

In particular, the xz supply chain attack injected the exploit with a few obfuscated lines, manually added to the end of the pre-generated configure script, that was only bundled in the tarballs.

Even if the exploits themselves were committed to the repo in the form of test files, the code that actually injected the exploit in the library was not committed to the repo, and was only present in the pre-generated configure script in the tarball: this injection mode makes sense, as extra files in the tarball not present in the git repo would raise suspicions, but machine-generated configure scripts containing hundreds of thousands of lines of code not present in the upstream VCS are the norm, and are usually not checked before execution.

Specifically in the case of PHP, along from the configure script, the tarball also bundles generated lexer files which contain actual C code, which is an additional attack vector, i.e. here's the diff between the tarball of the 8.3.4 release, and the PHP-8.3.4 tag on the git repo:

```
~ $ diff -r php-8.3.4 php-src -q
Only in php-src: .git                                                      Files php-8.3.4/NEWS and php-src/NEWS differ                               Files php-8.3.4/Zend/zend.h and php-src/Zend/zend.h differ                 Only in php-8.3.4/Zend: zend_ini_parser.c
Only in php-8.3.4/Zend: zend_ini_parser.h
Only in php-8.3.4/Zend: zend_ini_parser.output                             Only in php-8.3.4/Zend: zend_ini_scanner.c
Only in php-8.3.4/Zend: zend_ini_scanner_defs.h
Only in php-8.3.4/Zend: zend_language_parser.c                             Only in php-8.3.4/Zend: zend_language_parser.h                             Only in php-8.3.4/Zend: zend_language_parser.output
Only in php-8.3.4/Zend: zend_language_scanner.c
Only in php-8.3.4/Zend: zend_language_scanner_defs.h                       Only in php-8.3.4: configure                                               Files php-8.3.4/configure.ac and php-src/configure.ac differ               Only in php-8.3.4/ext/json: json_parser.tab.c                              Only in php-8.3.4/ext/json: json_parser.tab.h
Only in php-8.3.4/ext/json: json_scanner.c
Only in php-8.3.4/ext/json: php_json_scanner_defs.h                        Only in php-8.3.4/ext/pdo: pdo_sql_parser.c
Only in php-8.3.4/ext/phar: phar_path_check.c                              Only in php-8.3.4/ext/standard: url_scanner_ex.c
Only in php-8.3.4/ext/standard: var_unserializer.c
Only in php-8.3.4/main: php_config.h.in
Files php-8.3.4/main/php_version.h and php-src/main/php_version.h differ   Only in php-8.3.4/pear: install-pear-nozlib.phar                           Only in php-8.3.4/sapi/phpdbg: phpdbg_lexer.c                              Only in php-8.3.4/sapi/phpdbg: phpdbg_parser.c                             Only in php-8.3.4/sapi/phpdbg: phpdbg_parser.h
Only in php-8.3.4/sapi/phpdbg: phpdbg_parser.output
```

To prevent attacks from malevolent/compromised RMs, I propose completely removing all autogenerated files from the release tarballs, and ensuring their content exactly matches the content of the associated git tag (this means also removing the -dev prefix from the version number in main/php_version.h, Zend/zend.h, configure.ac and NEWS in the git tag).

Of course this means that users will have to generate the build scripts when compiling PHP, as when installing PHP from the VCS repo.

I'm sending a copy of this email to security@php.net as well.
------=_Part_4_253057831.1711751487023--